How to password-protect a directory using .htaccess
The .htaccess file is a configuration file for the Apache HTTP server. .htaccess includes a series of directives that control how the server responds to requests. (A "directive" is just a text command/keyword followed by its value.) One of the more common usages of .htaccess is to enable a directory to be password protected. By adding appropriate directives to .htaccess, when a web user accesses a file in that directory or a subdirectory, they’ll be prompted for a username and password.
|DIFFICULTY||Basic - 1 | Medium - 2 | Advanced - 3|
|TIME REQUIRED||15-30 min|
|RELATED PRODUCTS||Linux-based VPS or dedicated servers
cPanel Shared Hosting
Linux-based Web & Classic Hosting
AuthConfig are enabled in the main configuration file, directives similar to the following will enable the current directory tree to be password protected with basic authentication for user blake:
AuthName "Protected Area"
Require user blake
AuthType directive is the method used to authenticate the user. Basic sends the username and password in the clear over the network. If you want to protect the username and password over the wire, use SSL (mod_ssl) with your Basic authentication.
AuthName directive to identify to the user which password they should enter. Multiple independent directory trees in the same realm can be protected by a single password. Once a user has entered a password for a realm, they won’t be prompted again, provided the server name part of the URL doesn’t change.
As might be inferred, the
AuthUserFile defines where to look for passwords. You create the password file with the htpasswd command. There is also an AuthGroupFile directive that allows you to define groups of users. You can then protect the directory by group name instead of having to identify individual users.
Require group admin
The groups.file file is a text file that would consist of a list of groups and usernames like the following, where the password for each user is maintained in the specified password file from the
Require directive is how you are identifying who has access to the directory tree. The basic usages are to control access for any valid user, a list of users, or list of groups.
Require user userid1 [userid2] ...
Require group group1 [group2] ...
There are additional ways to control access with directives like
Allow. If Require is insufficient for your needs, review the other directives.
Use basic authentication via
.htaccess with care. It may work fine for small sets of users but does not scale well. Consider something like using an OAuth server for a production environment with large numbers of users.
Do note that with basic authentication, each resource request requires the username and password to be verified, even with just reloading a page, which can have performance implications.