Return to Steve's PLUG House
Return to Steve's Web htpasswd Encrypter

Protecting Web Directories with htaccess/htpasswd

So, what's htaccess and htpasswd?

It's a simple way of preventing a casual web surfer from accessing parts of your website, with a few provisos:

  1. Your website is hosted on an Apache web server
  2. Apache is configured to honour htaccess directives
  3. The stuff you're 'protecting' is not overly sensitive
  4. You are able to upload files to your website

How do I set it up?

If you want to keep it simple it's pretty easy really. You place an htaccess directive file in the directory you want to protect, and refer it to a password file where you store username/encrypted password combinations for people authorised to view the contents of the directory. You'll need to create the htaccess file and password files and transfer them to your website. For the sake of this exercise, we'll locate the password file in the same directory as the htaccess file. It really should be below the document root of your website where web surfers can't get at it.

Usually you'd use Apache's htpasswd to create the username:encrypted-password pairs in the password file, but if you don't have shell access to your webhost, you can use Steve's Web htpasswd Encrypter and add the pairs to your password file before transferring it to your website host.

Step by step Goodness:

  1. Find the full directory path to the directory on your website that you want to protect. There are a few ways you can do this eg.
    1. Open an FTP connection to your website using command-line FTP ie.
      ftp www.yourwebsite.com
      cd protected-directory
      pwd
    2. Contact tech support for your web host and ask them
    3. It will look something like /data/www/html/username/directory


  2. Open a new file in a plain text editor (Notepad on Windows, vi or emacs or pico on Unix) and put the following in it:

    AuthUserFile /full/path/to/protected/directory/.htpasswd
    AuthName "Protected Area"
    AuthType Basic
    Allow from all
    Require valid-user

    Save this file as htaccess.txt (we'll be renaming it later)


  3. Open another new file in a plain text editor and put one username:encrypted password combination per line for each username that is authorised to access the protected directory. Where do you get the username:encrypted password combos? (trick question) Easy! From Steve's Web htpasswd Encrypter!

    Save this file as htpasswd.txt. We'll also be renaming this file.


  4. Transfer both these files to the website directory you want to protect.
    If you're using FTP, transfer the files using ASCII mode.
    Rename htaccess.txt to .htaccess and htpasswd.txt to .htpasswd


  5. Test your implementation by browsing to the protected directory. You should be prompted to enter a username and password. When you enter a username password combination from your password file, you should see whatever you've put in your protected directory.


  6. Getting rid of the directory protection is as easy as deleting the .htaccess and .htpasswd files from the directory

I still don't get it!

OK, so I'm not really good at simple explanations. Here's a few additional resources:

A Tutorial
A Second Tutorial
Yet Another Tutorial

Help! It screwed up, and my granny lost her credit card number!

Well, I did tell you htaccess was not for protecting sensitive information. Also it's quite likely that what I've told you is all wrong and just doesn't work. The Web's like that. Did I tell you that I'm really your next door neighbour's dog?