Use Htaccess to Password Protect Your Web Pages and Files

Vector illustration in flat style of a computer screen with multiple windows open and a red window prompting for a password in front.
  JakeOlimb/Getty Images 

There are many websites that cause a box to pop up asking you for a username and password. If you don't know the password, you can't enter the site. This provides some security to your web pages and gives you the chance to choose who you want to allow to see and read your web pages. There are many ways to password protect your web pages, from PHP, to JavaScript, to htaccess (on the web server). Most people password protect an entire directory or website, but you can password protect individual files if you want to.

When Should You Password Protect Pages?

With htaccess, you can password protect any page or directory on your web server. You can even protect the entire website if you want to. Htaccess is the most secure method of password protection, as it relies on the web server, so the valid usernames and passwords are never shared with the Web browser or stored in the HTML like they can be with other scripts. People use password protection:

  • Hiding new versions of your website from the public until they are ready to launch.
  • Protecting private sections of your website so that only people you know and trust can read them.
  • Providing paid content to your customers and only allowing access via a password.
  • Creating a private forum for select readers.

It's Easy to Password Protect Your Web Pages 

You need to do two things:

  1. Create a password file to store the usernames and passwords that will have access to the directory.
  1. Create an htaccess file in the directory/file to be password protected.

Create the Password File

Whether you want to protect an entire director of just an individual file, you'll start here:

  1. Open a new text file called
    .htpasswd
    Note the period at the beginning of the filename.
  2. Use a password encryption program to create your passwords. Paste the lines into your .htpasswd file and save the file. You will have one line for every username that requires access.
  1. Upload the .htpasswd file to a directory on your Web server that is not live on the Web. In other words, you should not be able to go to http://YOUR_URL/.htpasswd—it should be in a home directory or other location that is secure.

Create Htaccess File for Your Website

Then, if you want to password protect your entire website:

  1. Open a text file called
    .htaccess
    Note the period at the beginning of the filename.
  2. Add the following to the file:
     AuthUserFile /path/to/htpasswd/file/.htpasswd
    AuthGroupFile /dev/null
    AuthName "Name of Area"
    AuthType Basic
    require valid-user
    
  3. Change
    /path/to/htpasswd/file/.htpasswd
    to the full path to the .htpasswd file you uploaded in above.
  4. Change
    "Name of Area"
    to the name of the site section being protected. This is used primarily when you have multiple areas with different protection levels.
  5. Save the file and upload it to the directory you want protected.
  6. Test that the password works by accessing the URL. If your password doesn't work, go back to the encryption programs and encrypt it again. Remember that the username and password will be case-sensitive. If you are not prompted for a password, contact your system administrator to make sure that HTAccess is turned on for your site.

    Create Htaccess File for Your Individual File

    If you want to password protect an individual file, on the other hand, you'll continue:

    1. Create your htaccess file for the file you want to protect. Open a text file called
      .htaccess
    2. Add the following to the file:
      
      AuthUserFile /path/to/htpasswd/file/.htpasswd
      AuthName "Name of Page"
      AuthType Basic
        require valid-user
      
    3. Change
      /path/to/htpasswd/file/.htpasswd
      to the full path to the .htpasswd file you uploaded in step 3.
    4. Change
      "Name of Page"
      to the name of the page being protected.
    5. Change
      "mypage.html"
      to the filename of the page you're protecting.
    1. Save the file and upload it to the directory of the file you want protected.
    2. Test that the password works by accessing the URL. If your password doesn't work, go back to the encryption programs and encrypt it again, remember that the username and password will be case-sensitive. If you are not prompted for a password, contact your system administrator to make sure that HTAccess is turned on for your site.

    Tips

    1. This will only work on Web servers that support htaccess. If you don't know if your server supports htaccess, you should contact your hosting provider.
    2. Make sure that the .htaccess file is text, not Word or some other format.
    3. To keep your passwords secure, the user file should not be accessible from a Web browser, but it must be on the same machine as the Web pages.