How to Restrict Access to a Directory Using Password Authentication

/ Updated: Sep 14, 2020 / Apache /
  • 3 out of 5 Stars

This article explains how to restrict access to directories with Basic HTTP Authentication. Basic HTTP Authentication (or Basic Access Authentication) is a simple security mechanism to restrict access to websites or some parts of them by requiring an username and password, which is managed by a visitor's web browser when making a request.

Restricted Area

Generate the password file

At first, you need to create your password file, which will be placed on your server. It can be done by one of two methods:

  1. Using our online .htpasswd generator tool (the easier way).
  2. Using htpasswd utility (the standard way).

Using our online .htpasswd generator

Generating .htpasswd files with our password tool is easy, just enter desired username and password and get the resulting file.

Using htpasswd utility

htpasswd utility is bundled with Apache and allows to create and update the flat-files used to store usernames and password for basic authentication of HTTP users.

htpasswd encrypts passwords using either a version of MD5 modified for Apache, or the system's crypt() routine. Files managed by htpasswd may contain both types of passwords; some user records may have MD5-encrypted passwords while others in the same file may have passwords encrypted with crypt().

Basically, to create password file you need to execute htpasswd with several arguments:

htpasswd -cb passwdfilename username password

where [-c] switch means "create the passwdfile" and [-b] means "get the password from the command line rather than prompting for it". For list of all htpasswd switches invoke htpasswd -h

Online Press Release Service.

Upload your .htpasswd

Now you need to upload password file that you've generated to your web server. For security, you should not upload the .htpasswd file to a directory that is web accessible. Password file should be placed above your www root/htdocs directory. After uploading is complete, you need to find out the full path to this file. Please note that this is not an URL, and this is not a FTP server path, this is a full filepath (on the unix systems it will be something like /home/user/path/.htaccess).

Hint: You can create a small PHP script which outputs the current server path:
echo getcwd();

Create .htaccess directives

Create an .htaccess file in the directory you wish to password protect (if you don't have one yet). If you place this file in your web root directory, it will password protect your entire web site.

The authorization directives may look like this:

AuthName "Restricted area"
AuthUserFile /home/loginname/.htpasswd
AuthType Basic
require valid-user

You should enter path to your .htpasswd file in AuthUserFile line. You can also supply another AuthName (it will be used in a prompt).

Now you can test your password protection. Password will be required for access to the folder you specified and all underlying files and folders.

Get a 15 Day Free Trial at

Rate This Article

How would you rate the quality of this content?
Currently rated: 3 out of 5 stars. 2 users have rated this article. Select your rating:
  • 3 out of 5 Stars
  • 1
  • 2
  • 3
  • 4
  • 5

About The Author

This article was written by Max Bulber specially for the Webmaster Tips & Tools

Related Articles

Web Server

How to Use Mod_rewrite For URL Rewriting in Apache

URL Rewriting is the process of manipulating an URL or a link, which is send to a web server in such a way that the link is dynamically modified at the server to include additional parameters and information along with a server initiated redirection. ..
Web Server

Are You Ready for High Volume Traffic?

Many webmasters wish they got a lot of traffic to their site. A day may come and their website may be very popular in just one day. This could be a reason that unique article is published on their site, or just a simple change in search position results in major search engines. ..
Web Server

Mod_Rewrite For Newbies

This article is not a complete guide to Apache's mod_rewrite neither to .htaccess. Its purpose is to help you - the webmaster - to create "mod_rewritten" versions of your dynamic webpages even if you have limited technical knowledge. ..
Web Server

Apache htaccess for PHP web application deployment

The following is a brief introduction to Apache's htaccess file for web application deployment, distribution, or implementation on shared hosting environments. The Apache htaccess file is not new; however it seems to only be used by more advanced Apache users and web application developers. ..
Web Server

6 Tips To Secure Your Website

Most people on the internet are good, honest people. However, there are some people browsing the internet who derive fun from poking around websites and finding security holes. A few simple tips can help you secure your website in the basic ways. ..
Use 3dcart to create your online store.