.htaccess 101: how to password protect a directory
What’s the easiest way to make an .htaccess file in Unix/Linux so that a directory is password protected? Suppose that your home directory is /home/matt and all your webstuff is in /home/matt/www/ . Follow these steps:
- Make an .htpasswd file. The htpasswd command in Unix does this. You should put the password file outside of your web directory. So a command like “htpasswd -bc /home/matt/.htpasswd review donotenter” will create a new file using a username of review and a password of donotenter into the file /home/matt/.htpasswd . If you were to run the command “cat /home/matt/.htpasswd” you might see a line like “review:M1OdtjdGiDn1Y”.
- Make an .htaccess file. In this case, the file would be located at /home/matt/www/.htaccess and it would look something like
AuthUserFile /home/matt/.htpasswd
AuthName EnterPassword
AuthType Basic
<Limit GET POST>
require valid-user
</Limit>
You might need to fiddle with file permissions a little bit. My .htaccess file was readable by all, and my .htpasswd file was readable by all as well.
Update: I edited the suggested .htaccess file a bit.
Rob Said,
August 11, 2005 @ 5:32 am
Your .htaccess just needs to be readable by apache, so it should share the same permissions as everyone else. Ultimately though, nearly all apache configurations will never serve up .ht*, so you have little to worry about. And even if you could read .htpasswd, it’s going to take an amount of brute forcing to discover your password.
Not that google have any shortage of computing power
Sylvain Said,
August 11, 2005 @ 7:54 am
htaccess solution is one of the easiest to use (i think)
my advice is to combine with others solutions… maybe session solutions
Anthony Said,
August 17, 2005 @ 7:40 pm
I was trying this out on my site @ http://www.onlinemortgageadvice.org/admin I have chmod 777 .htpasswd and even chmod 777 .htaccess and it never takes the password, keeps on rejecting me and I have changed the password a few times.
Anthony Said,
August 17, 2005 @ 8:34 pm
An update. For some reason both directories had to be chmod 655, that was the only way to make it work.
Gary Beal Said,
August 23, 2005 @ 5:48 pm
You should know by know bad publicity is good publicity. As a marketing vp I see this all the time. For example:
I found this here; http://blog.searchenginewatch.com/blog/050823-105422
# Google Dominant: The report has top search engines for the week of July 23, 2005, based on share of visits. Similar to what our Hitwise stats posted show, Google is top ranked, with more than double the share of its closest competitor, Yahoo.
# Image Search Grows: The report says Google Image Search nearly doubled and Yahoo Image Search more than doubled traffic when comparing the week of July 23, 2005 to the same period in 2004.
# Google’s Share Growing: Based on share of actual searches, Google is reported to have grown from 51.9 percent in July 2004 to 59.2 percent in July 2005. Over the same period, Yahoo and MSN saw decreases.
# Shopping Top Downstream Destination: Across the board, people head to shopping and classified sites more than any other types, after doing a search. Entertainment and Business & Finances are also popular categories.
# Portals Power Search: Yahoo and MSN are shown to get a significant number of searches from those who start out on their portal pages (FYI, a slight skew here in my opinion. Many searching from http://www.yahoo.com may not consider themselves starting from the “portal” home page since for most people, that does double-duty as the main Yahoo search page despite the existance of search.yahoo.com).
# Insight Into Driving Network Traffic: The report notes that Yahoo manages to drive 8 percent of searches back into its own network. Google drives 7 percent of its traffic to Google-related sites, with Google Images the top destination among these, getting 5 percent of the share.
# Yahoo Local Greater Than Google Local: Yahoo’s local search had four times the visits of Google’s local search, though Google’s service has grown 61 percent over the past six months. Local searchers are also slightly more likely to be female.
# Yahoo & Ask Local For Maps: Yahoo and Ask were found to be driving most traffic to their map sites, while Google was driving traffic to a range of sources, including Yahoo and SuperPages.
# Query Terms: Queries are generally one to two words long except for Ask, where its history of encouraging users to ask questions generates queries typically three or more words in length.
# Top Queries: Navigational terms rule on the search engines, with top queries often those for sites such as eBay or Mapquest. Top term on Yahoo and MSN? The name of their chief rival — Google! Ask is notable for not having its top list be dominated by navigational queries.
# Demographics: Google is slightly more male in terms of users, with Ask being more female. Yahoo is more younger; MSN more older, in terms of audience profiles. Google’s got the highest number of visitors with incomes over $100,000
I’m sure you already know where this came from. Is this good or bad? Was it posted in a ‘Google Hate’ forum or ‘I love Google’ forum’?
Does it matter?
Whoever your PR and Marketing guys are (oh, and your Legal Dept.), they obviously work on a “who else can we put this decision on?” hierarchy.
And your Marketing VP and COO are the the ****, because these are some of the best techniques I have ever seen vs. Fortune 500 marketing decisions.
Before I go I must say, your comment,”don’t worry, I didn’t let them near the big red button we use to begin the index update Google Dance” had me laughing harder than when my 3 yr. old crapped in the tub and thought it was a Sponge Bob character.
chow!
nq Said,
August 27, 2005 @ 3:04 pm
@ gary nice….
Jan Chilton Said,
September 2, 2005 @ 1:48 am
Hi Matt,
Can’t tell you how tickled I was to find out about your blog tonight…I’ve been reading for over an hour already. I saw this posting about the HTAccess and wanted to try and ask you something…
I host my clients’ accounts with Pair.com, and do websites by hand using notepad. Being self taught, I’m not able to do some things…like CGI scripts and such, and I’ve always relied on using FrontPage for one thing…doing contact forms on the sites.
I recently tried to implement the 301 Redirect to protect the sites from the www versus non-www problems, and found through numerous tries by myself and Pair’s techs that using an HT Access will disable any Frontpage forms on the site. They don’t have an answer to the problem, and I can’t use it to protect from problems. Can you offer some other alternative? I’m scared to death that some or all of my sites are going to end up getting penalized over this. Some of my competitors are really nasty.
By the way, I’m going to help the cause (though not needed) and link my blogs to yours. I just love reading you!
Jan
DDS Web Design Blog Said,
October 21, 2005 @ 7:40 am
useful info…i try to supply the same useful type of info on my blog as well, i love your blog matt, it rocks!
Web Site Design Said,
November 8, 2005 @ 6:08 am
Can you alter ht files using php from a database?
Freelancer Said,
December 31, 2005 @ 6:56 am
Here is a code which generate htaccess and htpass
” . nl2br($htaccess_txt) . “” . nl2br($htpasswd_txt));
}
?>
MAKE .htaccess + .htpasswd
“>
Username:
Passwort:
Chung Said,
January 4, 2006 @ 6:05 am
Thanks for the code Freelance
Hoodia Said,
January 8, 2006 @ 3:52 am
freelance
that code is handy, thanks for sharing
Top Rankings Said,
January 8, 2006 @ 6:44 am
Cheers freelance, that will come in handy.
vary Said,
February 17, 2006 @ 2:20 am
in default, you can’t create .htpasswd file in windows system, but you can create it width editplus.
Chung Said,
February 22, 2006 @ 2:08 am
For noobs like me
http://www.editplus.com/
Cragi Said,
March 23, 2006 @ 11:09 am
Editplus is good, use them a lot for htaccess
slow Said,
April 10, 2006 @ 11:12 am
Why bother with editplus (evaluation) when you can get PSPad for free and does much more?
Give it a try, good freeware soft:
http://www.pspad.com/en/
Web Server Said,
April 12, 2006 @ 3:36 pm
I have tried many time on windows server, no luck, after rechecking your article, I just found it was for windows !!!
Gerd Said,
May 16, 2006 @ 3:11 am
It works fine on Linux/Unix systems. For windows plattform you should use the windows authentification. If you need a user management you have to use a script esp. php or asp
John Said,
May 20, 2006 @ 10:46 am
Nice tutorial matt!
Alen Said,
July 11, 2006 @ 11:23 pm
Here are some amateur question ? Try to answer them even if looks ridiculous.
Does this password could be stup on a windows platform ?
How will set up a password and username in this file ? ( “So a command like “htpasswd -bc /home/matt/.htpasswd review donotenter” will create a new file using a username of review and a password of donotenter into the file /home/matt/.htpasswd ” )
Great information
Thanks
netfreez Said,
August 18, 2006 @ 11:55 pm
I was not able to utilize the code from Freelancer but had enough play with Matt’s original post. Very informative blog, thank you.
hoodia man Said,
August 25, 2006 @ 11:17 pm
Very informative blog going to read everything on seo, intereting to see the development over 2 years
web design Said,
September 5, 2006 @ 9:56 pm
Thanks for the information but using PLESK you can do the same with easy.
Shaq Said,
October 5, 2006 @ 11:22 pm
Be very careful with htaccess as it can screw up your whole site especially if your running things like CMSs with seo friendly urls.
WebMaster ToolBox Said,
October 14, 2006 @ 12:04 pm
cPanel has an option to do it automatically. You click on the folder you wanted protected and the username/passwords you want to accept and bam! Your done.
Siva Said,
November 1, 2006 @ 7:34 am
Unfortunately I’m using shared Linux server where I cant try this option on my own. But soon I’m going to take dedicated server to host all my company websites. Then definitely I will try this..
Thanks Matt
lazer epilasyon Said,
December 18, 2006 @ 10:52 am
i have a htaccess question. is it possible to completely protect swf files? i could never done it
kraloyun kral oyun Said,
December 31, 2006 @ 12:52 pm
htaccess is best solution for directory permissions i think
Protrox Said,
February 14, 2007 @ 5:23 pm
I love this article, it helped me modifying my HT access. Thanks guys, a lot of helpful info :O
Afzal Said,
February 26, 2007 @ 5:11 am
I am new to this htaccess business, i am in the proces of building a website with web hosting company. I have managed to create the pop up box and everyting, but i cannot seem to get my head the on why it does not accept the encryted login.
I have been reading a lot on ht access, and some of it, is not making much sence.
Do i have to install PHP, Apache on my Windows O/S.
Can someone please advice
Jenny W Said,
March 4, 2007 @ 12:45 pm
Afzal, please see
Troubleshooting Apache .htaccess Authentication
RUU2 Said,
March 6, 2007 @ 1:12 am
I have created this file, but after pushing f5 he hide. Why and what can I do?
Shaun Anderson Said,
June 2, 2007 @ 9:59 pm
Matt’s first post - Sorry but not as good as Jim’s!
Web Design Architect Said,
June 10, 2007 @ 3:40 am
You don’t need Cpanel to protect a directory. Just use this in your htaccess and place it in the folder you want to protect.
AuthType Basic
AuthName “username”
AuthUserFile “/home/directory/.htpasswds/username/password”
require valid-user
Luxury Blog Said,
June 27, 2007 @ 12:37 am
I have tried many time on windows server, no luck, after rechecking your article, I just found it was for windows !!!
| SEO | Said,
July 14, 2007 @ 10:48 am
Shaun, Mutts is much better than Jim’s
youtube Said,
August 15, 2007 @ 2:29 am
Thanks for the code Freelance
Dalaman property Said,
August 31, 2007 @ 8:52 am
I have the Linux too so I cant try this one.Maybe another time…
doudou Said,
September 2, 2007 @ 11:32 am
I’m not sure to read something about this but of course don’t forget to protect the pass directory with a “deny for all”
km Said,
September 6, 2007 @ 7:20 pm
Thanks for the code, I think this is most easier to protect password on apache server
Jason Neri Said,
September 11, 2007 @ 5:54 pm
HELP… im trying to use htaccess to protect a directory on my website but i dont know why its not working.. i am using a website hosted by http://www.mydomain.com and i have had this up and running before on my own server based on my home computer. the new server host is apache and supports this but i think im getting the actual location of the htpasswd file wrong or something because now when i go to the protected directory the username and password dont work at all i get a 401 error. and since its an ht file i cant even delete it to get access back as normal…any ideas?
Jason Neri Said,
September 11, 2007 @ 6:04 pm
i even tried putting the .htpasswd and .htaccess in the same directory and making it look right in that directory lol… i hate this
jen Said,
October 2, 2007 @ 4:35 pm
Exactly what I was looking for. Thanks Matt, always able to answer my questions!
Hoodia Said,
November 26, 2007 @ 3:45 pm
I also have this problem
Use hosting godaddy.com and htaccess doesn’t work.
wrote to support
answer:
We cannot assist with the coding of an .htaccess file. In this case you will need to use a search engine to determine the correct coding of this file.
And that’s support?
seksuel Said,
November 27, 2007 @ 5:36 am
Unfortunately I’m using shared Linux server where I cant try this option on my own. But soon I’m going to take dedicated server to host all my company websites. Then definitely I will try this..
Geciktirici Sprey Said,
December 10, 2007 @ 3:07 am
HELP… im trying to use htaccess to protect a directory on my website but i dont know why its not working.. i am using a website hosted by http://www.mydomain.com and i have had this up and running before on my own server based on my home computer. the new server host is apache and supports this but i think im getting the actual location of the htpasswd file wrong or something because now when i go to the protected directory the username and password dont work at all i get a 401 error. and since its an ht file i cant even delete it to get access back as normal…any ideas?
Mynet VDO Said,
December 10, 2007 @ 3:09 am
I have tried many time on windows server, no luck, after rechecking your article, I just found it was for windows !!!
Alışveriş Said,
December 10, 2007 @ 3:24 am
I was not able to utilize the code from Freelancer but had enough play with Matt’s original post. Very informative blog, thank you.
Alışveriş Said,
December 28, 2007 @ 5:51 am
have tried many time on windows server,
webtechnepal Said,
January 15, 2008 @ 8:45 pm
Hmm nice, normally I used cpanel and folder protect password. Anyway let me try this one. Thank you!
geciktirici sprey Said,
January 21, 2008 @ 1:03 am
htpasswd file wrong or something because now when i go to the protected directory the username and password dont work at all i get a 401 error. and since its an ht file i cant even delete it to get access back as normal…any ideas?
Goran Giertz Said,
February 11, 2008 @ 11:43 am
How can we embed a link on a website with the password already entered so visitors that come through a particular site dont need to insert the password.