How to password protect a website folder using .htaccess
Dynamic Hosting, Premium Hosting, Unlimited Hosting, Multisite hosting, Starter Hosting, Business Hosting, Start-Up Hosting
Time Estimate: 10 minutes
Difficulty Level: Medium
It can sometimes be useful to protect areas of your website, for example you have pages that you only want your friends to see.
To add password protection to your website you need to create a file to store usernames/passwords and add some code into a .htaccess file.
Creating the password file
The password file is a simple text file that contains username and password separated by a colon (:). However the password must be encrypted. There are lots of free tools that will encrypt the password for you or you can use our tool below. Simply enter a username and password and we'll generate a string of text that you can copy and paste.
Open a plain text editor, such as Notepad on Windows or TextEdit on Mac, and copy and paste the username/password string into it. Save this file as ".htpasswd". Now you need to upload this file to your website using FTP. For extra security make sure that it is outside of your web folder so that it can never be accessed by someone going to http://www.domain.com/.htpasswd. Our hosting servers will block web access to any files beginning with .ht, but it is bad practice to put the password file in a publicly accessible folder.
Creating the .htaccess file
Once you have created and uploaded your .htpasswd file you'll need to create a .htaccess file to tell the web server what folder you want to protect and what username/password file to use. Open a plain text editor (e.g. Windows - notepad, Mac – textedit) and put in the following code:
AuthType Basic AuthName "My Protected Folder" AuthUserFile /www/sites/5ce/448/www.domain.com/.htpasswd require valid-user
Let's go through the parameters you've just set:
Line 1 - Defines the type of authentication the web server will use, Basic is perfectly adequate for what we need.
Line 2 - Sets the title of the username/password box that will popup when someone tries to view your protected page.
Line 3 - Tells the web server where to find the username/password file. To find out the full path to your web folder login to you account, click the hosting icon, click on the manage link for your hosted domain. The full path is displayed in the Document Root row under Hosting Summary.
Line 4 - Tells the web server who in your .htpasswd file can access your folder, by using valid-user everyone in the file can view the folder.
Where to upload your .htaccess file
The .htaccess file above will protect all of the files in the folder it is uploaded into, and all of the sub-folders under it. For example if you wanted to protect your entire website you could place the .htaccess file in your hosting web folder.