How to Password Protect Directory Using .htaccess

Do you want to password protect a directory on your website? .htaccess is a powerful file which can easily password protect your files and folders in your web directories. I share this new skill I learnt while  implementing it on our site.

Lets suppose you want to protect the folder ‘secretfolder’ located on this path on your server:  home/user/domain/secretfolder

Password Protect Directory with htaccess

Step 1 – Create .htpasswd file with your desired username and password in any text editor (like Notepad) and save without the .txt extension. It is a good idea to encrypt the password  for extra security. Here is a good htpasswd encryption tool to do just that – simply enter the username and password and it will generate the code for you, which you can copy and paste. For a user ‘abc’ and password ‘abc’, I got this (but it generates a new one everytime) –


Step 2 – Create .htaccess file with the code below. It can be created using any text editor (like Notepad) and saved without the .txt extension. Remember to double check the location of the htpasswd file, or it will not work. You can change ‘Login Details’ to whatever you want displayed on the pop up alert.

AuthUserFile /home/user/domain/secretfolder/.htpasswd
AuthType Basic
AuthName "Login Details"
Require valid-user

Step 3 – Upload both these files in the same folder which you want to protect  (in this case ‘secretfolder’). Now whenever anyone accesses that directory or any files in it, they will be asked for login details. You web directory is now secure.

NOTE – You might not be able to see these files on your server since they are hidden files. I use Filezilla FTP client and often use the “force showing hidden files” option to view these files. Also remember that these files can be created easily in Notepad but save without .txt extension (Save a type –  choose “All Files”, then you can save without any extension). If the Login window keeps popping up,  most probably your login details are wrong.

OPTION – Here are some simple scripts to protect webpages, but they are only the first line of security. However, they are easier to implement as they can be simply inserted in the webpage  HTML code.

WARNING: .htaccess is a very powerful file to mess with and if wrongly configured can make your site inaccessible. If you are not sure of what you are playing with, seek professional tech support from your hosting provider. Edit your .htaccess at your OWN RISK, we bear no responsibility for the same and cannot provide support.

Share with friends

About the Author: P Chandra is editor of QOT, one of India's earliest tech bloggers since 2004. A tech enthusiast with expertise in coding, WordPress, web tools, SEO and DIY hacks.