Recent Posts ¶

See all posts ordered by date

Password Protecting Files and Folders using .htaccess

Ronald MacDonald <> Mon May 03 09:22:16 GMT 2010


It is possible, with the Apache WWW server, to protect files and folders by simple HTTP authentication.


Password protecting files and folders is carried out in two steps:

  1. Creating a file to store the username/password information
  2. Creating the .htaccess file within the directory you wish to protect.

Password File creation

The .htpasswd file will contain a username and a password, separated by a colon (:) - one per line. The password in the file is encrypted.

The following command, available with most binary distributions of Apache (including OS X), will offer you the option of creating the file yourself:

htpasswd -c .htpasswd [username]

Alternatively you may try the online tool at

Using .htaccess files on Windows

The file .htaccess essentially does not have a filename.

Windows will not allow you to save the file as .htaccess, since it requires the [filename].[extension] syntax to each and every file.

Do not worry! Simply save the file as a.htaccess, and read on.

Now upload the file to the web server, making sure it is placed outside the Web root of the site if possible. If the .htpasswd file cannot be placed outside the web root, name it something not easily guessable - e.g. .adduqp2.

If you uploaded the file (from Windows) as a.htaccess, now’s the time to rename the file to .htaccess.

Creating the .htaccess file

To utilise the .htpasswd file, it must first be “recognised” by creating a .htaccess file. Create this in the directory to be protected.

Protecting folders

The following must be inserted into the .htaccess file:

AuthUserFile /full/path/to/.htpasswd
AuthType Basic
AuthName "Secret Folder"
Require valid-user

/full/path/to/.htpasswd is the full path to the .htpasswd file that you created. The full path is the path from the Web server’s root - not the site’s. The example .htaccess file will password protect all files and folders below in the folder that it is placed in.


If you use a web-based administration interface on your site, double check you’ve done everything above correctly - otherwise, you’ll block yourself out!

Protecting Individual Files

To password protect just a single file in a folder, use the following configuration in the .htaccess file:

AuthUserFile /full/path/to/.htpasswd
AuthType Basic
AuthName "Secret Page"
<Files "secret.html">
    Require valid-user

This will password protect just the secret.html file in the folder where you put the .htaccess file.


If you can’t access your data and the dialog keeps popping up, check that you entered the username and password correctly. If it still doesn’t work, check the path to your .htpasswd file on the server - make sure the path specified in the AuthUserFile directive is correct. Also make sure that both the .htpasswd and .htaccess files are readable by the Web server user (chmod 644 should do the trick for UNIX/Linux/FreeBSD servers).

If the password protection isn’t working (i.e. you can still access your stuff without needing to enter a username/password), check that you uploaded your .htaccess file to the right folder. Also check that your web server supports .htaccess password protection (it needs to be an Apache server, and your server admin needs to have enabled the AuthConfig override for the site).

Password Protecting Additional Content

AuthUserFile /full/path/to/.htpasswd
AuthType Basic
AuthName "Secret Page"
<Files "secret.html">
    Require valid-user
<Files "private.html">
    Require valid-user

You’re not restricted to just one username/password. If you want to add more users, simply repeat the "Creating the password file" procedure above, but add each new username/password line to your existing .htpasswd file, e.g.:


Alternatively, if you’ve got shell access to the server, then you can add extra users with the command:

htpasswd .htpasswd [username]
Further info

For further information see the Apache mod_auth documentation.