Home
 

Customer Support

Search for keywords:

Browse by category:

How do I protect a directory with .htaccess?

If you have a folder on your website that contains sensitive or restricted information, you can password-protect it to prevent unauthorized visitors from seeing its contents using what's called "HTTP authentication" (you can read more about it here). There are two ways to password protect folders/directories on your website. We recommend our Folder Password Protection tool in the control panel for most users. But, if you are familiar with htaccess files, you can also edit them manually.

Using the Onsite Control Panel Tool
In the Onsite Control Panel, click on Folder Password Protection. Follow the on-screen directions to specify which folder/directory to protect. You will also be prompted to specify usernames and passwords associated with that directory.

Manual Method
First, verify the real path to your home directory.

Next, in the directory you want to protect with HTTP authentication, create or upload a file named: .htaccess (remember to include the "." before the "htaccess").

Files that begin with a dot are hidden from regular file listing (ls) commands. To see files that begin with a dot, do a complete file listing command (ls -a) or see this other FAQ.

The .htaccess file should contain the following 4 lines:
AuthType Basic
AuthName "Some Description"
AuthUserFile /[home dir full path]/[passwordfile]
Require valid-user
For example, if your domain was example.com, then the third line would read:
AuthUserFile /www/vhosts/e/example.com/allowlist
In the above example "allowlist" is the name we've chosen for the password file. Next, you need to create the password file itself using the filename that matches what you put as [passwordfile] in the .htaccess file. Using our example, you would do this using a command prompt and typing:
htpasswd -c allowlist myuser
Once you've done the above step, you will be prompted twice for the user's password. If you just want to add another user to an existing password file, or change a password for a user already in the file, then leave off the -c option. To learn more about the "htpasswd" command, you can read this documentation page. Also, you can type "htpasswd" by itself to see all the command's options.

Removing Folder Password Protection - Manual Method
You can delete the .htaccess file from the command prompt by typing:
rm htdocs/www/.htaccess
(where htdocs/www/ was the directory that you put the .htaccess file in to begin with).

Removing Folder Password Protection - Using Onsite Control Panel Tool
In the Onsite Control Panel, click on Folder Password Protection. Click the 'remove' link next to the directory you want to remove from password protection.


Note: When using the Onsite Control Panel Tool, a backup of any existing .htaccess file is automatically created and is named .htaccess.bak. When using the Onsite Control Panel Tool to remove folder password protection, you may need to manually modify the backup copy and rename it back to .htaccess

User-Contributed Notes

add a note
15-Apr-2002 16:08
The .htaccess file goes in the directory you want to protect. 
The passwordfile (allowlist) that you create by running the htpasswd
command should go in your home directory.

ryan -at- ryansims.com
31-May-2002 10:36
Be sure your .htaccess file is CHMOD'd to 644.

john -at- johnmasterson.com
24-Jun-2002 14:01
In case your FTP client doesn't show your .htaccess file:

I've found it much easier just to 'turn on' hidden files with the
"Remote file mask" switch: -la 

WS_FTP calls it "Remote file mask" while FTPVoyager refers to it as
"Extra LIST Parameter" so naturally it stands to reason your mileage may
vary.


08-Nov-2002 20:29
The last bit of the chmod permissions on the .htaccess file must be at
least 4 (644, 604, 605, 705, 775, etc). You cannot make it 640 because
then apache cannot read it (since it is not in your group), and you
cannot chgrp the file to be group owned by apache because you are not a
member of the apache group either.

sam -at- afifi.com
06-Sep-2003 02:32
Or an even easier method .. the .htaccess manager .. it does this all
for you.

see : http://htaccess.technotrade.com

Aloha

21-Jul-2004 15:40
If you want to protect only certain files in a directory, then put the
protection directives from the above FAQ inside of a FilesMatch
container like so:

<FilesMatch "secret.html$">
  AuthType Basic
  AuthName "Some Description"
  AuthUserFile /full/path/to/passwdfile
  Require valid-user  
</FilesMatch>

The match pattern is a regular expression, so it can be used to match
more than 1 file: <FilesMatch "(private|secret).html$">. That would
protect private.html and secret.html an no other files.

info -at- movie2b.com
29-May-2008 18:55
In case you are using FTP Voyager (as I do) you can also use "GET
.htaccess" command to get hidden .htaccess file.

famousfolder -at- gmail.com
29-Nov-2008 04:04
Just be very careful with htaccess as it can screw up your whole site
especially if your running things SEO friendly.

anonymous -at- example.com
12-Apr-2009 10:36
It appears that if the chmod permissions of the password file is 644
then HTTP authentication is required for accessing files each time, but
if it is set to 664 then only the first file access requires HTTP
authentication.

add a note

Related Questions:


Why does my website just say "Error 403 Forbidden"?

How can I show a default page other than index.html?

How do I stop people from getting directory listings when I dont have an index page?

What do the different HTTP Status Codes like 200, 304, 404, 401, 403 mean?

How do I protect a directory with mod_auth_mysql?

What options are configured with Apache and what can I do with .htaccess files?

How do I stop other websites from using my bandwidth while they steal images, flash, etc. from my site?

Which Apache modules are installed?

How can I make apache recognize different MIME types?

How do I make my own Error Documents to replace the default ones like 404 Not Found?

The webservers' Gzip compression is messing up my XML or Flash files for Netscape 4 browsers. How do I turn off compression?

How do I get different character sets to display correctly?

Why am I getting a 412 Precondition Failed from a website?

What webserver do you run?

Will I have access to raw logfiles?

My mod_rewrite rules make my website stop loading.

I created a symbolic link, and now I am getting a 404 errors.

How do I stop the server from automatically correcting spelling mistakes in URLs or offering multiple choices for documents?

How do I protect my website from comment spam?

How do I redirect traffic to another web page?

How do I enforce the use of SSL on my website?

Why do my mod_security rules cause intermittent Internal Server Errrors?

How can I make it clear to search engines that mydomain.com and www.mydomain.com are the same site?

Browse Categories:

Getting Started, FTP, Telnet/SSH, Moving Domains, E-mail, Traffic Reports, Mailing Lists, Apache, PHP, CGI, Other Server-Side Scripting, MySQL Database, Imaging Libraries, Other Software, Billing & Terms, Control Panel, E-commerce, Pre-Sales


Modwest PHP Hosting      Copyright 2000-2009 by Modwest, Inc.      About    |    Blog    |    Community    |    Design    |    Jobs    |    Contact