How Do I Use .htaccess for Password Protecting Directories and Files?

By Scott Clark

In our last article, we told you what the .htaccess file was used for, and showed you how to use it for custom error pages and index pages. This time we're going to show you how to use it to password protect directories and files.

Since we've already told you how to create and use the .htaccess file on your web host, we're going to get right into the details, this time to password protect a specific directory on your site.

What Code Do I Use To Password Protect My Directory?

First, when you use .htaccess to password protect a directory, your site's visitors will encounter a popup dialog box that requires them to enter a username and password. It looks like this:

If the user doesn't provide the proper login and password, they receive the following error message (which you could customize using .htaccess as well):

Authorization Required
This server could not verify that you are authorized to access the document
 requested. Either you supplied the wrong credentials (e.g., bad password), 
or your browser doesn't understand how to supply the credentials required.
Using .htaccess for password protection is not ideal for all situations. It is something you can use when you are creating a new area on your website, and you only want certain people to have access. You can also use it to allow subscribers to your site to enter a password protected area, once they have subscribed, to perhaps allow them access to documents, images or videos. You may also wish to password protect area where your log files are located, or some other administrator-specific area.

The Code

You'll need to be able to encrype your users' passwords. You can't just use any old encryption--but there are several online tools which allow you to enter a username and password, and they encrypt them for you. The username and password are separated by a colon in a text file that is used by .htaccess. Here are a few of those online encryption tools: The encrypted text it creates will look something like this for a user named jim:
jim:Ob8zOg1SIV7WU
You'll save this single line of text into a file called .htpasswd which, like .htaccess, is really a file with no name, but rather an extension (in this case, htpasswd).

Now we get back to the .htaccess file itself. Aside from anything else you have already entered into the file, you'll need to add the following to it, changing some variables for the names and directories you're actually using:

AuthUserFile /path/to/yoursite/.htpasswd
AuthType Basic
AuthName "Password Protected"
Require valid-user
The AuthUserFile path needs to be the actual path to your website on your web host. You can name AuthName pretty much anything you want, for reference. Using this code will password protect the directory, and any subdirectories under it. If you only want to password protect a single file, you just change where you place the Require valid-user like this:
<Files "secretpage.html">
  Require valid-user
</Files>
The entire thing would look like this:
AuthUserFile /path/to/yoursite/.htpasswd
AuthType Basic
AuthName "Password Protected"
<Files "secretpage.html">
  Require valid-user
</Files>
So now you know how to use .htaccess to password protect files and directories, custom error pages and index pages. Next time we'll show you how to allow or ban users based on their IP addresses.

Make a Comment

Loading Comments...

  • Web Development Newsletter Signup

    Invalid email
    You have successfuly registered to our newsletter.
  •  
  •