	Home Web Hosting domains Domains

Customer Support

Support Categories:

Getting Started
FTP
Moving Domains
E-mail
Stat Reports
Mailing Lists
Apache
PHP
CGI
MySQL Database
Other Software
Billing & Terms
Control Panel
E-commerce
Pre-Sales

Search for keywords:

Browse by category:

How do I protect a directory with .htaccess?

If you have a folder on your website that contains sensitive or restricted information, you can password-protect it to prevent unauthorized visitors from seeing its contents using what's called "HTTP authentication" (you can read more about it here). There are two ways to password protect folders/directories on your website. We recommend our Folder Password Protection tool in the control panel for most users. But, if you are familiar with htaccess files, you can also edit them manually.

Using the Onsite Control Panel Tool
In the Onsite Control Panel, click on Folder Password Protection. Follow the on-screen directions to specify which folder/directory to protect. You will also be prompted to specify usernames and passwords associated with that directory.

Manual Method
First, verify the real path to your home directory.

Next, in the directory you want to protect with HTTP authentication, create or upload a file named: .htaccess (remember to include the "." before the "htaccess").

Files that begin with a dot are hidden from regular file listing (ls) commands. To see files that begin with a dot, do a complete file listing command (ls -a) or see this other FAQ.

The .htaccess file should contain the following 4 lines:

AuthType Basic AuthName "Some Description" AuthUserFile /[home dir full path]/[passwordfile] Require valid-user

For example, if your domain was example.com, then the third line would read:

AuthUserFile /www/vhosts/e/example.com/allowlist

In the above example "allowlist" is the name we've chosen for the password file. Next, you need to create the password file itself using the filename that matches what you put as [passwordfile] in the .htaccess file. Using our example, you would do this using a command prompt and typing:

htpasswd -c allowlist myuser

Once you've done the above step, you will be prompted twice for the user's password. If you just want to add another user to an existing password file, or change a password for a user already in the file, then leave off the -c option. To learn more about the "htpasswd" command, you can read this documentation page. Also, you can type "htpasswd" by itself to see all the command's options.



You can delete the .htaccess file from the command prompt by typing:

rm htdocs/www/.htaccess 
 (where htdocs/www/ was the directory that you put the .htaccess file in to begin with).



When using the htpasswd command, if you see an error "Cannot create temporary file," then create a "tmp" subdirectory in your home directory with your FTP program or from the command prompt like so:

cd mkdir tmp

     
    

        
            User-Contributed Notes

            
        
        
            
                
        
            15-Apr-2002 16:08            
        
        
            
            The .htaccess file goes in the directory you want to protect. 
The passwordfile (allowlist) that you create by running the htpasswd
command should go in your home directory.
            

            
        
    
            
        
        
            
                
        
            ryan -at- ryansims.com
31-May-2002 10:36            
        
        
            
            Be sure your .htaccess file is CHMOD'd to 644.
            

            
        
    
            
        
        
            
                
        
            john -at- johnmasterson.com
24-Jun-2002 14:01            
        
        
            
            In case your FTP client doesn't show your .htaccess file:

I've found it much easier just to 'turn on' hidden files with the
"Remote file mask" switch: -la 

WS_FTP calls it "Remote file mask" while FTPVoyager refers to it as
"Extra LIST Parameter" so naturally it stands to reason your mileage may
vary.


            

            
        
    
            
        
        
            
                
        
            08-Nov-2002 20:29            
        
        
            
            The last bit of the chmod permissions on the .htaccess file must be at
least 4 (644, 604, 605, 705, 775, etc). You cannot make it 640 because
then apache cannot read it (since it is not in your group), and you
cannot chgrp the file to be group owned by apache because you are not a
member of the apache group either.
            

            
        
    
            
        
        
            
                
        
            sam -at- afifi.com
06-Sep-2003 02:32            
        
        
            
            Or an even easier method .. the .htaccess manager .. it does this all
for you.

see : http://htaccess.technotrade.com

Aloha

            

            
        
    
            
        
        
            
                
        
            21-Jul-2004 15:40            
        
        
            
            If you want to protect only certain files in a directory, then put the
protection directives from the above FAQ inside of a FilesMatch
container like so:

<FilesMatch "secret.html$">
  AuthType Basic
  AuthName "Some Description"
  AuthUserFile /full/path/to/passwdfile
  Require valid-user  
</FilesMatch>

The match pattern is a regular expression, so it can be used to match
more than 1 file: <FilesMatch "(private|secret).html$">. That would
protect private.html and secret.html an no other files.
            

            
        
    
            
        
        
            
                
        
            info -at- movie2b.com
29-May-2008 18:55            
        
        
            
            2john -at- johnmasterson.com: in case you are using FTP Voyager (as I
do) you can also use "GET .htaccess" command to get hidden .htaccess
file.

--------------------------------
Download movies - http://www.movie2b.com/
            

            
        
    
            
        
        
            
            
        
    
    
Related Questions:

Why does my website just say "Error 403 Forbidden"?


How can I show a default page other than index.html?


How do I stop people from getting directory listings when I dont have an index page?


What do the different HTTP Status Codes like 200, 304, 404, 401, 403 mean?


What options are configured with Apache and what can I do with .htaccess files?


How do I protect a directory with mod_auth_mysql?


How do I stop other websites from using my bandwidth while they steal images, flash, etc. from my site?


Which Apache modules are installed?


How do I make my own Error Documents to replace the default ones like 404 Not Found?


How can I make apache recognize different MIME types?


The webservers' Gzip compression is messing up my XML or Flash files for Netscape 4 browsers. How do I turn off compression?


How do I get different character sets to display correctly?


What webserver do you run?


Will I have access to raw logfiles?


I created a symbolic link, and now I am getting a 404 errors.


How do I stop the server from automatically correcting spelling mistakes in URLs or offering multiple choices for documents?


My mod_rewrite rules make my website stop loading.


Why am I getting a 412 Precondition Failed from a website?


How do I protect my website from comment spam?


How do I enforce the use of SSL on my website?


How do I redirect traffic to another web page?


    
        Browse Categories:
Getting Started, FTP, Telnet/SSH, Moving Domains, E-mail, Traffic Reports, Mailing Lists, Apache, PHP, CGI, Other Server-Side Scripting, MySQL Database, Imaging Libraries, Other Software, Billing & Terms, Control Panel, E-commerce, Pre-Sales

 




           Copyright
2000-2008 by Modwest,
Inc.          About Us    |    Blog    |    Jobs    |    Web Design     |    Contact Us