How to use .htaccess to restrict access by username and password

  1. Create a file to store the encrypted credentials
  2. Generate the username and password combinations for the file
  3. Modify htaccess to use this file for credentials

Create the credentials file

  • Get the exact path to your web content folder on your web server. You will need this exact path in order activate the security in your .htaccess. Most hosting control panels will show you the filesystem path.

    You can also use PHP to display it for you using the following code:
    <?php print(dirname(__FILE__)); ?>
    Create a file INSIDE of your web content folder, paste the above code into it and browse to it. You will see the full path displayed, make a note of the full path and delete the file.

    For example: if you created 1.php, browse to You will see the full path, copy it and then delete the 1.php file.

  • Create a folder OUTSIDE of the web content folder.

    For example: if your web folder is /home/site/public_html you create /home/site/security. Note that it is not inside of public_html.

  • Create a blank file within this new folder, beginning with a period (the period means the file is hidden). It is commonly named .htpasswd, though you can name it anything you wish. If you are going to have different directories that need separate user lists then you would need to use different file names.

    For example, you could create .employees, .clients to have different lists of authorized users.

Generate each user's credentials

Now, you generate the different user's encrypted credentials and paste them into the blank file you just created. Each user's credential should be on a separate line.

Use this tool to generate the credentials. We do not log this data

Activate the protection

  • Create or modify .htaccess in the directory you want to restrict.

    For example: If your web content folder is /home/site/public_html, and you want to restrict access to the entire site, place the .htaccess file there.

    You can also protect subdirectories by placing an .htaccess file within them.

  • Paste the following into the .htaccess file

    AuthType Basic
    AuthName "Secured Site"
    AuthUserFile /the/path/to/your/security/.htpasswd
    Require valid-user

    Please note, as soon as you save this it is activated. Make certain you test.

    For example: If you want the browser to say "Client Site" and if you placed your .htpasswd file in /home/site/security then you would use this for your .htaccess:

    AuthType Basic
    AuthName "Client Site"
    AuthUserFile /home/site/security/.htpasswd
    Require valid-user


Do not replace an existing .htaccess file, paste the above at the top of the file.

If you want different users for different sections then you have to use different password files

If you secure a folder all children folder inherit this, unless you explictly define an .htaccess file in a subdirectory. To turn off authentication in a child directory use this in the .htaccess file in that directory:

Require all granted

SELERUM @ your service