ID #32

How do I protect a directory with .htaccess?

Applies to: Grid System

If you have a folder on your website that contains sensitive or restricted information, you can password-protect it to prevent unauthorized visitors from seeing its contents using what's called "HTTP authentication" (you can read more about it here). There are two ways to password protect folders/directories on your website. We recommend our Folder Password Protection tool in the control panel for most users. But, if you are familiar with htaccess files, you can also edit them manually.

Using the Onsite Control Panel Tool
In the Onsite Control Panel, click on Folder Password Protection. Follow the on-screen directions to specify which folder/directory to protect. You will also be prompted to specify usernames and passwords associated with that directory.

Manual Method
In the directory you want to protect with HTTP authentication, create or upload a file named: .htaccess (remember to include the "." before the "htaccess").

Files that begin with a dot are hidden from regular file listing (ls) commands. To see files that begin with a dot, do a complete file listing command (ls -a) or see this other FAQ.

The .htaccess file should contain the following 4 lines:

AuthType Basic
AuthName "Some Description"
AuthUserFile /full_path_to_homedir/[passwordfile]
Require valid-user

For example, if your domain was example.com, then the third line would read:

AuthUserFile /domains/e/example.com/allowlist

In the above example "allowlist" is the name we've chosen for the password file. Next, you need to create the password file itself using the filename that matches what you put as [passwordfile] in the .htaccess file. Using our example, you would do this using a command prompt and typing:

htpasswd -c allowlist myuser

Once you've done the above step, you will be prompted twice for the user's password. If you just want to add another user to an existing password file, or change a password for a user already in the file, then leave off the -c option. To learn more about the "htpasswd" command, you can read this documentation page. Also, you can type "htpasswd" by itself to see all the command's options.

Removing Folder Password Protection - Manual Method
You can delete the .htaccess file from the command prompt by typing:

rm htdocs/www/.htaccess

(where htdocs/www/ was the directory that you put the .htaccess file in to begin with).

Removing Folder Password Protection - Using Onsite Control Panel Tool
In the Onsite Control Panel, click on Folder Password Protection. Click the 'remove' link next to the directory you want to remove from password protection.

Note: When using the Onsite Control Panel Tool, a backup of any existing .htaccess file is automatically created and is named .htaccess.bak. When using the Onsite Control Panel Tool to remove folder password protection, you may need to manually modify the backup copy and rename it back to .htaccess

Last update: 2010-09-29 16:16
Author: FAQ Admin
Revision: 1.2

Digg it! Share on Facebook Print this record Send FAQ to a friend Show this as PDF file
Please rate this FAQ:

Average rating: 2.5 (4 Votes)

completely useless 1 2 3 4 5 most valuable

You can comment this FAQ

Comment of Anonymous:
The .htaccess file goes in the directory you want to protect.
The passwordfile (allowlist) that you create by running the htpasswd command should go in your home directory.
Added at: 2002-04-15 16:08

Comment of Anonymous:
In case your FTP client doesn't show your .htaccess file:

I've found it much easier just to 'turn on' hidden files with the "Remote file mask" switch: -la

WS_FTP calls it "Remote file mask" while FTPVoyager refers to it as "Extra LIST Parameter" so naturally it stands to reason your mileage may vary.

Added at: 2002-06-24 14:01

Comment of Anonymous:
The last bit of the chmod permissions on the .htaccess file must be at least 4 (644, 604, 605, 705, 775, etc). You cannot make it 640 because then apache cannot read it (since it is not in your group), and you cannot chgrp the file to be group owned by apache because you are not a member of the apache group either.
Added at: 2002-11-08 20:29

Comment of Anonymous:
Be sure your .htaccess file is CHMOD'd to 644.
Added at: 2002-05-31 10:36

Comment of Anonymous:
If you want to protect only certain files in a directory, then put the protection directives from the above FAQ inside of a FilesMatch container like so:

AuthType Basic
AuthName "Some Description"
AuthUserFile /full/path/to/passwdfile
Require valid-user

The match pattern is a regular expression, so it can be used to match more than 1 file: . That would protect private.html and secret.html an no other files.
Added at: 2004-07-21 15:40

Comment of Anonymous:
Or an even easier method .. the .htaccess manager .. it does this all for you.

see : http://htaccess.technotrade.com


Added at: 2003-09-06 02:32

Comment of Anonymous:
In case you are using FTP Voyager (as I do) you can also use "GET .htaccess" command to get hidden .htaccess file.

Added at: 2008-05-29 18:55

Comment of Anonymous:
Just be very careful with htaccess as it can screw up your whole site especially if your running things SEO friendly.
Added at: 2008-11-29 04:04

Comment of anon:
Can I assign a login page to .htaccess rather than the standard browser popup? Also, if I have multiple sites within my domain, how do I manage each .htaccess file?
Added at: 2010-03-15 08:55