HTACCESS Password Service

Linux power-users have known, and used the power of htacess for some time. htaccess allows web developers to make significant changes to the resident Apache Server configuration setup. The web developer does not need any special privileges to change how the server works, just a through understanding of the mechanics of htaccess.

Using htacess one can, for example, provide file and directory level password protection, create search-engine friendly URLs, limit access to resources by IP address, and initiate many other useful services.

In this article, we will explore how to use htaccess to password protect files and directories.


Creating file and directory (or folder) level password schemes is simple, using an invisible text file called .htacess (the dot preceding the file name makes it invisible in unix/linux based operating systems), and a file called htpasswd.

.htacess contains the instructions for the password utility, and htpasswd contains the usernames and encrypted passwords. Both are simple text files. It is important to note that htpasswd needs to be placed away from your web root, where it is not publicly available. You will use FTP (File Transfer Protocol) to place both files on your web server. Please see our article on FTP for more information on that topic.

OK, so let’s build our .htacess and htpasswd files.

1. Open your favorite text editor.
2. Save the file in a known directory as htacess, without the leading dot ( .htacess). You can rename it later on the server, using FTP.
3. Type the following in your file (change the /usr/local/you/safedir bit to your specific server path):

AuthUserFile /usr/local/you/safedir/.htpasswd
AuthGroupFile /dev/null
AuthName EnterPassword
AuthType Basic

require user USERNAME

To create your password file, you can use the following web-based .htaccess password generator: Follow the instructions on that page to create your encrypted htpasswd file. It will look something like this:


Remember not to upload the newly created htpasswd file into your web root folder. Ideally, you want to place this file above the web root.

Now, lets dissect the 5 line .htaccess file.

The first line is the full server path to your htpasswd file. Note that this is a server path, and not a URL. Also keep in mind that if you upload this .htaccess file to your root folder, it will password protect your entire site. This may or may not be what you desire.

The second line (AuthGroupFile) is set to null, as groups are not involved in this method of authentication.

The third line (AuthName) is the name of the area (or realm) you want to limit access to. You can give this any name (within reason) that you want.

The forth line shows that we are using basic HTTP authentication.

The fifth line is where you enter the username of those you are granting access. To enable multiple users, change this line to:

require valid-user

If all went well with your editing and uploading, you should now be prompted for a username/password combination when you attempt to access the protected folder.

In upcoming articles, we will delve further into .htaccess, and its many uses for webmasters.

Leave a Reply

Your email address will not be published. Required fields are marked *