Use .htaccess to Password-Protect Your Web Pages and Files

The most secure method of password protection

With htaccess, you can password-protect any page or directory on your web server, or even the entire website. Htaccess is the most secure method of password protection; because it relies on the web server, the valid usernames and passwords are never shared with the web browser or stored in the HTML as they can be with other scripts.

On websites that use this method, visitors see a pop-up prompt to enter a username and password. Any visitor who doesn't know the password can't enter the site. This provides some security to your web pages and allows you to control access to your web pages.

Vector illustration in flat style of a computer screen with multiple windows open and a red window prompting for a password in front.
 

The .htaccess method is only one of many ways to password-protect your site. Others rely PHP, JavaScript, and other languages, scripts, and approaches.

When Should You Password-Protect Pages?

You might use password protection to:

  • Hide new versions of your website from the public until they are ready to launch.
  • Protect private sections of your website so that only people you know and trust can read them.
  • Provide paid content to your customers and allowing access only via a password.
  • Create a private forum for select readers.

How to Password-Protect Your Web Pages With .htaccess

This strategy involves two steps: creating a password file to store usernames and passwords; and creating an .htaccess file in the directory or file you want to protect. Here's how:

  1. Using a text editor such as macOS's TextEdit or Windows' Notepad, create a new text file called .htpasswd.

    Be sure to include the period at the beginning of the filename.

  2. Save the file in ASCII format, with no file extension. The filename should be .htpasswd—nothing more.

  3. Into your .htpasswd file, paste each username and password, one per line, in this format:

    username:encryptedpassword

    For example:

    maryj:oWBaTERw
    johnjones:fUJAUDIc

    Use a password-encryption program to create your passwords to ensure they're strong.

  4. Upload the .htpasswd file to a directory on your web server that is not live. In other words, you should not be able to go to http://your_domain/.htpasswd; it should be in a home directory or other location that is secure.

Using .htaccess to Protect Your Website

If you want to password-protect your entire website:

  1. Create a text file called .htaccess, as above.

  2. Add the following to the file:

    Change the first line to reflect the path and file name to your .htaccess file, and change the second to the name of a site section you're protecting (it can be anything you choose).

  3. Save the file in ASCII format, and upload it to the directory you want to protect.

  4. Test that the password works by accessing the URL. If your password doesn't work, go back to your encryption program and encrypt it again. Remember that the username and password will be case-sensitive. If you are not prompted for a password, contact your system administrator to make sure that .htaccess is turned on for your site.

Create an .htaccess File for an Individual File

If you want to password-protect an individual file, continue as follows:

  1. Add the following to the file:

    AuthUserFile /path/to/htpasswd/file/.htpasswd
    AuthName "Name of Page"
    AuthType Basic
    require valid-user

    Change these to reflect your preferences, as above.

  2. Save the file and upload it to the directory of the file you want protected.

  3. Test that the password works by accessing the URL.

This works only on servers that support .htaccess. If you don't know if your server supports .htaccess, contact your hosting provider.

Make sure to save the .htaccess file as ASCII text, not Word or some other format.

The user file should not be accessible from a browser, but it must be on the same server as the web pages.