Website Password Protection
Website Password Protection

Website Password Protection


The typical and most common method to password protect a website directory is Basic Authentication. What is Basic Authentication? It is the more common method to password protect a directory. HTTP Basic Authentication (BA) implementation is the simplest technique for enforcing access controls to web resources because it doesn’t require cookies, sessions, or login pages. Rather, HTTP Basic Authentication uses standard fields passed by the browser. You authenticate via browser popup, and then the same credentials are automatically passed to the web server every time you request a resource (image, video, web page, etc.) in the password protected directory.


There are two main components required for Basic Authentication: .htaccess file and password file. Let’s start with the .htaccess file. A .htaccess (hypertext access) file is a directory-level configuration file supported by Unix web servers. The .htaccess file is used for configuration of site-access issues, such as password protection. To implement password protection in a n a given directory, you create a .htaccess file in that directory which contains authentication directives (commands to server). For example:


AuthName “Restricted Area”
AuthType Basic
AuthUserFile /full/server/path/to/passwordfile
require valid-user


Line 1: It is the name that appears in the browser authentication popup. If more than one word, it needs to be encapsulated in quotes.

Line 2: Denotes the authentication as type Basic. There are others, but Basic Authentication is most common.

Line 3: Full or absolute server to password file.

Line 4: Implements authentication. If the line is missing, no authentication or password protection.


The second file is the password file. Commonly it is called .htpasswd. However, it can have any name. The preferred name is one that begins with a dot. Normally dot files (like .htaccess and .htpasswd) are not served by the web server. This is for security so if someone discovered the location of the password file, they cannot enter the URL to the file to read it via their browser. For added security, the password file should NOT be web accessible. The file should be located outside the public html root. The format of the file is as follows:




The username is unencrypted (plain text), whereas the password is encrypted. Each entry is on a  separate line delineated by a carriage return (newline).


We provide an online tool which creates both the .htaccess file and password file: PassProtector. This tool does all the work, including encrypting the passwords. All that is left to do is to upload the .htaccess file and password file to your server: .htaccess file to directory you are password protecting, and the password file to the location specified in the .htaccess file. Very quick and easy to do.

Leave a Reply