How do I password protect a directory using .htaccess files?

Answer by: Andrew Hickl, Aplus.Net Knowledge Base Support

You can establish password protection using the following two files: .htaccess and .htpasswd. Please have in mind that you can use these files only of you have a Unix-based hosting plan.

The directory password protection is a four step process:

• First, you’ll need to create an .htpasswd file to store the log-in information for the protected directory.
• Second, you’ll need to upload your .htpasswd file to the directory that you are going to protect.
• Third, you’ll need to create an .htaccess file to instruct the server to password protect the directory.
• Finally, you’ll need to upload your .htaccess file to the directory you’re going to protect.

I. CREATING THE .HTPASSWD FILE:

1. Open up a text editor on your computer. We recommend that you use Notepad (Windows), SimpleText (Macintosh), or Emacs (Linux / UNIX).
2. Save the file as .htpasswd (including the initial dot).
3. Now, make sure that your text editor did not append a .txt suffix to the file name. (In Windows, you can do this by right-clicking the icon for the text file and selecting “Properties”.) If the file name does have a .txt suffix (i.e. ‘.htpasswd.txt’), remove the suffix by renaming the file.
4. Before entering code into your new file, make sure that “Word Wrap” is turned off. (In Notepad, select “Format…” from the top navigation bar and make sure that “Word Wrap” is unchecked).
5. Begin adding users by selecting the username that you will use to login to the protected directory. (Usernames can be between 2 and 16 characters long and should only contain lower-case letters and numbers.)
6. Type the username into the .htpasswd file followed by a colon. At this point, your .passwd file should look like this (“username” is used as example):

7. Now, you have to encrypt the password that you will use to login to the directory. To do this, visit http://users.abac.com/cgi-bin/pass.pl. On this page, enter your password (up to 13 characters) and hit the Encrypt button – the encrypted password will be displayed on the following page.
   Important: The encrypted password will always be 13 characters long, regardless of the actual length of your password.
8. Copy the encrypted password from the webpage and paste it into your .htpasswd file following the colon. Be sure to remove any spaces that may precede or follow the password. Your file should look like this:
   
   

9. To add additional users, end the current line with a carriage return and repeat steps (5) through (8) above on the next line.
10. When you’re done adding users, save the file.
    
    

II. UPLOADING THE .HTPASSWD FILE:

1. Open your FTP client and establish a connection to your web space using your FTP Username and FTP Password.
2. Browse to the directory that you’d like to protect.
3. Set your upload settings to ASCII. (Uploading .htpasswd files in ‘binary’ format may have unexpected consequences.)
4. Upload your .htpasswd file from your local computer.
5. After the upload is completed, you may need to change the file permissions for the .htpasswd file. They should be set to 644 or RW-R--R--.

III. CREATING THE .HTACCESS FILE:

1. Using the same text editor that you used to create the .htpasswd file, create (and save) a new file called .htaccess. (Be sure to remove the .txt suffix, if your software automatically appends one.)
2. Add the following code to the .htaccess file:

3. Replace path above with the absolute path to the directory you have uploaded the .htpasswd to:

• How can I find out the absolute path to my Unix-based shared hosting account?

EXAMPLE: If your account is on partition u5, and your main FTP username is aplus, and you are going to protect the html/images/ directory, then you have to replace path in the .htaccess file with the following line:

/home/u5/aplus/html/images/.htpasswd

4. You can also replace “Enter Password” in the .htaccess file with a message you want to be displayed to your website visitors when prompted for the login information (please make sure to keep the quotes).
5. Save the .htaccess file on your local computer.
   
   
   

IV. UPLOADING THE .HTACCESS FILE:

1. Once again, open up an FTP connection to your web space.
2. Browse to the directory that you would like to password protect.
3. Using an ASCII connection, upload your .htaccess file to the same directory you have uploaded the .htpasswd file.
4. After the upload is completed, you may need to change the file permissions for the .htaccess file. They should be set to 644 (using chmod) or RW-R--R--.

That’s it! If your implementation was successful, visitors to the password protected directory will now have to enter the username and password you have specified in the .htpasswd file before being allowed access.

Important: If you have a Windows-based hosting plan, you cannot use .htaccess files.