How to Password Protect a Site Using .htaccess

How to Password Protect a Site Using Htaccess

Last Edited September 11, 2023 by Garenne Bigby in Search Engine Optimization

You’ve likely come across a website or a webpage that has generated a pop-up box asking you for a username and password. Without either or the right combination of both, you can’t access that page or website.

There are numerous reasons for wanting to password protect a site or a portion thereof. It adds security to your content by giving you control over who has access to the information. There are also a number of ways for you to password protect your site or certain pages thereof, including the use of JavaScript, PHP, or the Htaccess file.

Why Would You Want to Password Protect Your Pages?

As mentioned in our introductory paragraph, there are a number of valid reasons for wanting to password protect either your whole site or a portion of it. We also alluded to the number of different ways in which you could do so.

Our top recommendation is the make use of the Htaccess method, as it offers the most secure means of protecting your site and/or pages. This is because the method relies on your server, meaning the valid usernames and passwords are almost never shared or accessible via the browser. Nor are they stored in HTML, as is the case with other methods.

Before we take a look at how to password protect a site using Htaccess, let us consider four of the most common reasons for wanting or needing to do so.

  • When renovating or doing a major update to your website, you don’t want users to be able to access the work in progress. By password protecting these sections of your site, you can ensure that only you and the developers are able to view the new site until it is ready to launch.
  • You may have private sections on your website that you don’t want to be made available to general users, and limit access to these pages to specific people that you know (personally and/or professionally) and trust.
  • Depending on your business, you may have a library of content that only paid users may have access to. By setting up password protection, you ensure that paying members are the only ones who are able to view said content.
  • Alternatively, you may have a forum or select content that you only want to make available to select users (not necessarily paying visitors, but these as well).

To password protect your site, directories, or pages, you need two things: a password file, and an Htaccess file.

Creating the Password File

This is done in three easy steps:

  1. Open a new text file (we recommend using Notepad or— even better—Notepad++). This file will be named .htpasswd—note the period in the beginning.

  2. Enter a username and password combination. For creating strong passwords, we highly recommend making use of a password generating tool. There are free and premium versions available online, such as this one that allows you to choose the number and type of characters used as well as showing you an easy method for remembering the generated password. Important: each username and password combination must be entered on a new line in your file.

  3. Save the file and upload it to a directory on your web server. The directory should not be live! Most hosting companies running with the cPanel control panel module have a home directory file, which is where you’ll want to upload your .htpasswd file.

Creating the Htaccess File

This part requires a few extra steps.

Step 1. The first step is to go back to Notepad or Notepad++ and open a new file once again. This one will be called Htaccess (again, please take note of the period at the beginning).

Step 2. The following five lines of code need to be added to the file: 

  • AuthUserFile /path/to/htpasswd/file/.htpasswd
  • AuthGroupFile /dev/null
  • AuthName “Name of Area”
  • AuthType Basic
  • require valid-user

Step 3. Next, you need to change “/path/to/htpasswd/file/.htpasswd” (line 1) to the actual path leading to the .htpasswd file you entered earlier. For example, for a site called with the control panel username “exam,” this would likely be something along the lines of “/exam/home-dir/.htpasswd.” Please note that this is only an example, and that structure will likely differ.

Step 4. “Name of Area” (line 3) needs to be changed to the name of your site, or the section of your site that needs to be protected. Following the example outlined in point 3 above, this could be “” (in the case of the whole site) or “”

Step 5. Save the Htaccess file and upload it into the directory that you want to have protected.

Step 6. Finally, you should test whether or not your password works by attempting to access the protected URL. If the password itself does not work, you’ll have to go back to the .htpasswd file to ensure that it is entered correctly there (remember, passwords are more often than not case-sensitive). On the other hand, if you are able to access the URL without being prompted for a username and password at all, you’ll need to contact your servicer administrator to ensure that Htaccess is enabled for your site

A Final Word of Advice

This section is most appropriate for site managers who want or need to password protect their entire site but is also useful to read for those wanting to only protect a section of their site.

Before you create your Htaccess file, login to your control panel and navigate to the File Manager section. Enable “show hidden files,” as by default you will not be able to view files preceded by a period. If you need help with this, please contact your web host’s support team.

In the case of cPanel especially, there will already be a Htaccess file present in your public_html folder, which is where your website resides in full. For password protecting your entire site, this is the same directory you will need to upload your Htaccess file too.

However, you do not want to break your site by overwriting the existing file accidentally. If there is an existing Htaccess file, then edit it rather than replacing it. You may find that there are other lines of code already there, so simply follow the above directions by adding the necessary lines beneath the existing code.

Garenne Bigby
Author: Garenne BigbyWebsite:
Founder of DYNO Mapper and Former Advisory Committee Representative at the W3C.

Create Interactive Visual Sitemaps

Discovery has never been easier.

Sign up today!