How to password protect a file using .htaccess?

Before we explain how to enable password protection for a single file or a group of files using .htaccess, we want to give some background on how to enable password protection in the first place. If you are in a rush or you’re just not interested in that then go ahead and jump to the section labelled “Summary of how to enable password protection in .htaccess”.




The Apache .htaccess file allows you to password protect individual files on your web server so that you need to enter both a username and password in order to even access those files. There’s a lot of different reasons for wanting to password protect a file on your web server. One possible reason is that you simply want to restrict the public from being able to view that file on your server without a proper username and password.

Using .htaccess password protection to prevent a brute force attack

Another possible reason might be that you are trying to prevent hackers from attempting a brute force attack on your WordPress website. A brute force attack is where hackers try many different combinations of passwords in the hope that one will work and that they can then get into your WordPress backend. So, one commonly used method of preventing brute force attacks is to password protect the login file (called wp-login.php in WordPress) using a .htaccess file.

Whatever your reason may be for wanting password protection, let’s now go through how to actually enable password protection of a file using .htaccess.

How to enable password protection in .htaccess

Let’s first go through what a sample .htaccess file should look like if we want to enable password protection in the .htaccess file. Then we will explain in detail what each part means. Here is the sample .htaccess file:

    AuthName "Restricted"
    AuthType Basic
    AuthUserFile /home/username/.wp-admin
    require valid-user

In order to turn on password protection, at the very minimum we must use the AuthType, AuthName, AuthUserFile, and require directives.

The AuthType Directive

The AuthType directive will just tell Apache what level of authentication should be used. We just set it to “Basic” for the simplest form of authentication. The other options for AuthType are None – which means no authentication – Digest, and Form, which both provide higher levels of security than “Basic”.

The AuthUserFile Directive

The AuthUserFile is a directive used to specify the file that will be used to store the username and password. More specfically, the AuthUserFile directive specifies the actual path to the file that stores the username and password.

The file name used for the AuthUserFile can be anything you want it to be. The typical name used is .htpasswd. But, you can even use something like .wp-admin, which is a commonly used name for sites running WordPress.

What to put inside the .htpasswd file

Inside the .htpasswd file, you will need to put in a username and an encrypted password – this will be the username and password input by anyone who tries to access the password protected file or directory. You will need to come up with an encrypted password by looking at the examples on this page: http://httpd.apache.org/docs/current/programs/htpasswd.html. You can choose the username to be used inside the .htpasswd file as well.

Understanding the AuthName directive

The AuthName directive is used to set the Realm that will be used during authentication. In our example above we just set the Realm to “Restricted” – note that this is just an arbitrary string and we could have set it to anything we wanted, like “Security Zone”. What exactly is the Realm? Well, there are 2 primary functions of the Realm. The first thing is that the browser displays the string used to define the Realm – in this case, “Restricted” – inside the password dialog box (where the user is prompted to input the username/password combination). The second function of the Realm is that it is used by the browser to figure out which password should be used for an authenticated area.

This means that once a user has already input a valid password for the “Restricted” area, the browser will automatically retry that same password for any area on that server that is marked using the “Restricted” realm. So it basically means that the user may not have to be prompted multiple times for the same password as long as he/she is trying to access files/directories that share the same realm.

With that said, if you just want to password protect a single file or a single directory, you probably will not be concerned with the realm set by the AuthName directive. And you can just use any arbitrary string that comes to mind for the AuthName directive – it should not matter to you (unless of course your server administrator says otherwise!). But, we wanted to actually explain what the AuthName directive means instead of just telling you to use it.

Understanding the require directive

The require directive is used to tell Apache which users should be let in to view the restricted material. In this case we just say require valid-user, which just means that all we want is a user who has input the right credentials – the correct username and password basically. The Require directive could accept valid user names, or even a group of valid user names.

Summary of how to enable password protection in .htaccess

Now that you understand (hopefully) all the details of what goes into the .htaccess file, let’s summarize the steps that go into enabling password protection in the first place.

First, if you just want to password protect a file, you will need to start by creating an .htaccess file in the same directory as that file. Or, if an .htaccess file already exists then you can simply add the code we show below. You can use this sample .htaccess file:

<Files "somepage.html">
    AuthName "Restricted"
    AuthType Basic
    AuthUserFile /home/username/.htpasswd
    require valid-user
<Files>


You will need to change the text “somepage.html” to the name of the file that you would like to password protect. The Files directive tells Apache which file needs to be password protected.

Second, you will need to create a .htpasswd file. You should place this file somewhere on your server where it can’t be accessed by the public. And, of course you will need to change the path specified by the AuthUserFile directive so that it correctly points to the .htpasswd file. In the example above, we just assumed the .htpasswd file is in a directory named /home/username.

Inside the .htpasswd file, you will need to put in a username and an encrypted password – this will be the username and password input by anyone who tries to access the password protected file or directory. You will need to come up with an encrypted password by looking at the examples on this page: http://httpd.apache.org/docs/current/programs/htpasswd.html. You can choose the username to be used inside the .htpasswd file as well.

How to password protect all files with a certain name

If you want to password protect all files with a given name using .htaccess then you can use the FilesMatch directive. You would need to enclose the directives inside a FilesMatch directive. For example, if we want to password protect any file with the name of “wp-login.php”, we would do something like this:

<FilesMatch "wp-login.php"%gt;
    AuthName "Restricted"
    AuthType Basic
    AuthUserFile /home/username/.wp-admin
    require valid-user
</FilesMatch>

Hiring? Job Hunting? Post a JOB or your RESUME on our JOB BOARD >>

Subscribe to our newsletter for more free interview questions.