.htaccess 101: how to password protect a directory

What’s the easiest way to make an .htaccess file in Unix/Linux so that a directory is password protected? Suppose that your home directory is /home/matt and all your webstuff is in /home/matt/www/ . Follow these steps:

  1. Make an .htpasswd file. The htpasswd command in Unix does this. You should put the password file outside of your web directory. So a command like “htpasswd -bc /home/matt/.htpasswd review donotenter” will create a new file using a username of review and a password of donotenter into the file /home/matt/.htpasswd . If you were to run the command “cat /home/matt/.htpasswd” you might see a line like “review:M1OdtjdGiDn1Y”.
  2. Make an .htaccess file. In this case, the file would be located at /home/matt/www/.htaccess and it would look something like
    AuthUserFile /home/matt/.htpasswd
    AuthName EnterPassword
    AuthType Basic
    <Limit GET POST>
    require valid-user
    </Limit>

You might need to fiddle with file permissions a little bit. My .htaccess file was readable by all, and my .htpasswd file was readable by all as well.

Update: I edited the suggested .htaccess file a bit.

58 Responses to .htaccess 101: how to password protect a directory (Leave a comment)

  1. Your .htaccess just needs to be readable by apache, so it should share the same permissions as everyone else. Ultimately though, nearly all apache configurations will never serve up .ht*, so you have little to worry about. And even if you could read .htpasswd, it’s going to take an amount of brute forcing to discover your password.

    Not that google have any shortage of computing power 🙂

  2. htaccess solution is one of the easiest to use (i think)
    my advice is to combine with others solutions… maybe session solutions 🙂

  3. I was trying this out on my site @ http://www.onlinemortgageadvice.org/admin I have chmod 777 .htpasswd and even chmod 777 .htaccess and it never takes the password, keeps on rejecting me and I have changed the password a few times.

  4. An update. For some reason both directories had to be chmod 655, that was the only way to make it work.

  5. You should know by know bad publicity is good publicity. As a marketing vp I see this all the time. For example:
    I found this here; http://blog.searchenginewatch.com/blog/050823-105422

    # Google Dominant: The report has top search engines for the week of July 23, 2005, based on share of visits. Similar to what our Hitwise stats posted show, Google is top ranked, with more than double the share of its closest competitor, Yahoo.

    # Image Search Grows: The report says Google Image Search nearly doubled and Yahoo Image Search more than doubled traffic when comparing the week of July 23, 2005 to the same period in 2004.

    # Google’s Share Growing: Based on share of actual searches, Google is reported to have grown from 51.9 percent in July 2004 to 59.2 percent in July 2005. Over the same period, Yahoo and MSN saw decreases.

    # Shopping Top Downstream Destination: Across the board, people head to shopping and classified sites more than any other types, after doing a search. Entertainment and Business & Finances are also popular categories.

    # Portals Power Search: Yahoo and MSN are shown to get a significant number of searches from those who start out on their portal pages (FYI, a slight skew here in my opinion. Many searching from http://www.yahoo.com may not consider themselves starting from the “portal” home page since for most people, that does double-duty as the main Yahoo search page despite the existance of search.yahoo.com).

    # Insight Into Driving Network Traffic: The report notes that Yahoo manages to drive 8 percent of searches back into its own network. Google drives 7 percent of its traffic to Google-related sites, with Google Images the top destination among these, getting 5 percent of the share.

    # Yahoo Local Greater Than Google Local: Yahoo’s local search had four times the visits of Google’s local search, though Google’s service has grown 61 percent over the past six months. Local searchers are also slightly more likely to be female.

    # Yahoo & Ask Local For Maps: Yahoo and Ask were found to be driving most traffic to their map sites, while Google was driving traffic to a range of sources, including Yahoo and SuperPages.

    # Query Terms: Queries are generally one to two words long except for Ask, where its history of encouraging users to ask questions generates queries typically three or more words in length.

    # Top Queries: Navigational terms rule on the search engines, with top queries often those for sites such as eBay or Mapquest. Top term on Yahoo and MSN? The name of their chief rival — Google! Ask is notable for not having its top list be dominated by navigational queries.

    # Demographics: Google is slightly more male in terms of users, with Ask being more female. Yahoo is more younger; MSN more older, in terms of audience profiles. Google’s got the highest number of visitors with incomes over $100,000

    I’m sure you already know where this came from. Is this good or bad? Was it posted in a ‘Google Hate’ forum or ‘I love Google’ forum’?

    Does it matter?

    Whoever your PR and Marketing guys are (oh, and your Legal Dept.), they obviously work on a “who else can we put this decision on?” hierarchy.

    And your Marketing VP and COO are the the ****, because these are some of the best techniques I have ever seen vs. Fortune 500 marketing decisions.

    Before I go I must say, your comment,”don’t worry, I didn’t let them near the big red button we use to begin the index update Google Dance” had me laughing harder than when my 3 yr. old crapped in the tub and thought it was a Sponge Bob character.

    chow!

  6. @ gary nice….

  7. Hi Matt,
    Can’t tell you how tickled I was to find out about your blog tonight…I’ve been reading for over an hour already. I saw this posting about the HTAccess and wanted to try and ask you something…

    I host my clients’ accounts with Pair.com, and do websites by hand using notepad. Being self taught, I’m not able to do some things…like CGI scripts and such, and I’ve always relied on using FrontPage for one thing…doing contact forms on the sites.

    I recently tried to implement the 301 Redirect to protect the sites from the www versus non-www problems, and found through numerous tries by myself and Pair’s techs that using an HT Access will disable any Frontpage forms on the site. They don’t have an answer to the problem, and I can’t use it to protect from problems. Can you offer some other alternative? I’m scared to death that some or all of my sites are going to end up getting penalized over this. Some of my competitors are really nasty.

    By the way, I’m going to help the cause (though not needed) and link my blogs to yours. I just love reading you!

    Jan

  8. useful info…i try to supply the same useful type of info on my blog as well, i love your blog matt, it rocks!

  9. Can you alter ht files using php from a database?

  10. Here is a code which generate htaccess and htpass

    ” . nl2br($htaccess_txt) . “” . nl2br($htpasswd_txt));

    }

    ?>
    MAKE .htaccess + .htpasswd

    “>
    Username:
    Passwort:

  11. Thanks for the code Freelance

  12. freelance

    that code is handy, thanks for sharing

  13. Cheers freelance, that will come in handy.

  14. in default, you can’t create .htpasswd file in windows system, but you can create it width editplus.

  15. For noobs like me 🙂 http://www.editplus.com/

  16. Editplus is good, use them a lot for htaccess

  17. Why bother with editplus (evaluation) when you can get PSPad for free and does much more?

    Give it a try, good freeware soft:
    http://www.pspad.com/en/

  18. I have tried many time on windows server, no luck, after rechecking your article, I just found it was for windows !!!

  19. It works fine on Linux/Unix systems. For windows plattform you should use the windows authentification. If you need a user management you have to use a script esp. php or asp

  20. Nice tutorial matt!

  21. Here are some amateur question ? Try to answer them even if looks ridiculous.

    Does this password could be stup on a windows platform ?
    How will set up a password and username in this file ? ( “So a command like “htpasswd -bc /home/matt/.htpasswd review donotenter” will create a new file using a username of review and a password of donotenter into the file /home/matt/.htpasswd ” )

    Great information
    Thanks

  22. I was not able to utilize the code from Freelancer but had enough play with Matt’s original post. Very informative blog, thank you.

  23. Very informative blog going to read everything on seo, intereting to see the development over 2 years

  24. Thanks for the information but using PLESK you can do the same with easy.

  25. Be very careful with htaccess as it can screw up your whole site especially if your running things like CMSs with seo friendly urls.

  26. cPanel has an option to do it automatically. You click on the folder you wanted protected and the username/passwords you want to accept and bam! Your done.

  27. Unfortunately I’m using shared Linux server where I cant try this option on my own. But soon I’m going to take dedicated server to host all my company websites. Then definitely I will try this..

    Thanks Matt 🙂

  28. i have a htaccess question. is it possible to completely protect swf files? i could never done it 🙁

  29. htaccess is best solution for directory permissions i think

  30. I love this article, it helped me modifying my HT access. Thanks guys, a lot of helpful info :O

  31. I am new to this htaccess business, i am in the proces of building a website with web hosting company. I have managed to create the pop up box and everyting, but i cannot seem to get my head the on why it does not accept the encryted login.

    I have been reading a lot on ht access, and some of it, is not making much sence.

    Do i have to install PHP, Apache on my Windows O/S.

    Can someone please advice

  32. I have created this file, but after pushing f5 he hide. Why and what can I do?

  33. Matt’s first post – Sorry but not as good as Jim’s!

  34. You don’t need Cpanel to protect a directory. Just use this in your htaccess and place it in the folder you want to protect.

    AuthType Basic

    AuthName “username”

    AuthUserFile “/home/directory/.htpasswds/username/password”

    require valid-user

  35. I have tried many time on windows server, no luck, after rechecking your article, I just found it was for windows !!!

  36. Shaun, Mutts is much better than Jim’s

  37. Thanks for the code Freelance

  38. I have the Linux too so I cant try this one.Maybe another time…

  39. I’m not sure to read something about this but of course don’t forget to protect the pass directory with a “deny for all”

  40. Thanks for the code, I think this is most easier to protect password on apache server

  41. HELP… im trying to use htaccess to protect a directory on my website but i dont know why its not working.. i am using a website hosted by http://www.mydomain.com and i have had this up and running before on my own server based on my home computer. the new server host is apache and supports this but i think im getting the actual location of the htpasswd file wrong or something because now when i go to the protected directory the username and password dont work at all i get a 401 error. and since its an ht file i cant even delete it to get access back as normal…any ideas?

  42. i even tried putting the .htpasswd and .htaccess in the same directory and making it look right in that directory lol… i hate this

  43. Exactly what I was looking for. Thanks Matt, always able to answer my questions!

  44. I also have this problem
    Use hosting godaddy.com and htaccess doesn’t work.
    wrote to support
    answer:
    We cannot assist with the coding of an .htaccess file. In this case you will need to use a search engine to determine the correct coding of this file.

    And that’s support?

  45. Unfortunately I’m using shared Linux server where I cant try this option on my own. But soon I’m going to take dedicated server to host all my company websites. Then definitely I will try this..

  46. HELP… im trying to use htaccess to protect a directory on my website but i dont know why its not working.. i am using a website hosted by http://www.mydomain.com and i have had this up and running before on my own server based on my home computer. the new server host is apache and supports this but i think im getting the actual location of the htpasswd file wrong or something because now when i go to the protected directory the username and password dont work at all i get a 401 error. and since its an ht file i cant even delete it to get access back as normal…any ideas?

  47. I have tried many time on windows server, no luck, after rechecking your article, I just found it was for windows !!!

  48. I was not able to utilize the code from Freelancer but had enough play with Matt’s original post. Very informative blog, thank you.

  49. have tried many time on windows server,

  50. Hmm nice, normally I used cpanel and folder protect password. Anyway let me try this one. Thank you!

  51. htpasswd file wrong or something because now when i go to the protected directory the username and password dont work at all i get a 401 error. and since its an ht file i cant even delete it to get access back as normal…any ideas?

  52. How can we embed a link on a website with the password already entered so visitors that come through a particular site dont need to insert the password.

  53. Is there any setting in .htaccess to remove session IDS from URL…?

  54. I was not able to utilize the code from Freelancer but had enough play with Matt’s original post. Very informative blog, thank you.

    http://shop33934685.taobao.com

  55. B careful with htaccess as it can screw up your whole site especially if your running things like CMSs with seo friendly urls.

  56. Thanks I will setup it ASAP. Thanks for the guide. .htaccess password procted

css.php