Protecting Folders with .htaccess & .htpasswd

TL;DR

.htaccess and .htpasswd can add a basic layer of password protection to folders on your web server. They’re easy to set up but aren’t foolproof – they won’t protect against determined attackers or secure sensitive data. Use them for simple access control, not as a replacement for proper security measures.

How it Works

.htaccess files are configuration files that allow you to modify the behaviour of your web server (usually Apache) on a per-directory basis. .htpasswd files store usernames and encrypted passwords. When someone tries to access a protected folder, the server asks for a username and password. If they’re correct (as stored in .htpasswd), access is granted; otherwise, it’s denied.

Setting up Password Protection – Step-by-Step

1. Create an .htaccess file: In the folder you want to protect, create a new text file named .htaccess (note the dot at the beginning).
2. Add basic authentication directives: Open the .htaccess file in a text editor and add the following code:

   AuthType Basic
   AuthName "Restricted Area"
   AuthUserFile /path/to/.htpasswd
   Require valid-user

   • AuthType Basic: Specifies basic authentication.
   • AuthName "Restricted Area": The message displayed in the password prompt box. Change ‘Restricted Area’ to something appropriate.
   • AuthUserFile /path/to/.htpasswd: The full path to your .htpasswd file on the server. Important: Replace /path/to/.htpasswd with the actual path! This is often a location *outside* of your web root directory for security reasons.
   • Require valid-user: Requires any user listed in the .htpasswd file to access the folder.
3. Create an .htpasswd file: You’ll need a tool to create this file, as it requires specific encryption. On Linux/macOS, you can use htpasswd from the command line:

   htpasswd -c /path/to/.htpasswd username

   • -c: Creates a new .htpasswd file. Use this *only* when creating the first user.
   • /path/to/.htpasswd: The full path to where you want to save the .htpasswd file (same as in your .htaccess).
   • username: The username for the new account. You’ll be prompted to enter a password twice.

   To add more users later, omit the -c flag:

   htpasswd /path/to/.htpasswd anotherusername

4. Test it: Try accessing the protected folder in your web browser. You should be prompted for a username and password.

Important Considerations

1. Security Risks: .htaccess protection is relatively weak. Passwords are base64 encoded, not truly encrypted. Anyone with access to the server can view the .htpasswd file.
2. Location of .htpasswd: Never store your .htpasswd file inside your web root directory (e.g., public_html or www). This makes it accessible via a browser if misconfigured. Place it in a secure location outside the web server’s document root.
3. HTTPS: Always use HTTPS to encrypt communication between the user and the server, even with .htaccess protection. Otherwise, passwords could be intercepted.
4. Alternatives: For better security, consider using your hosting provider’s control panel features for password protection or implementing more robust authentication methods like two-factor authentication.
5. Apache Configuration: Ensure that Apache is configured to allow .htaccess files (AllowOverride All) in the relevant directory within your main server configuration file.

Troubleshooting

• 500 Internal Server Error: This usually indicates an error in your .htaccess file syntax. Check for typos and ensure the path to your .htpasswd file is correct.
• Authentication Prompt Doesn’t Appear: Double-check that AuthType Basic is set correctly, and that AllowOverride All is enabled in your Apache configuration.