Password Protecting Directories on Web Sites
(Using .htaccess Files)

Domain web site customers have the ability to password protect directories that are available to the internet. By creating something called a .htaccess file and uploading it to the directory you wish to protect, a user can assign user names and passwords to this directory. This document will explain the contents of a .htaccess file and what's involved in setting up username/password protection for a web directory.

After reading this document, if you have any questions about setting up username/password authentication for a web directory, please e-mail


Explanation of .htaccess and password files

Contents of a .htaccess file

AuthType Basic
AuthName "Members Only Area"
AuthUserFile /webusers/home-dir/password-file
require valid-user

Explanation of the AuthName field

The AuthName field is just the text the gets displayed on the username/password pop-up box. This is for informational purposes, and does not effect the functionality of the authentication.

Explanation of the AuthUserFile field

The AuthUserFile specifies where the location of the username/password file is. Normally you want to make this field "/webusers/home-dir/password-file", where "home-dir" is the name of the user account of the web site, and "password-file" is the name of the username/password file you wish to use. For example, let's say the user account used to FTP to the web site and make changes, is jsmith and the password file name we want to use is member-passwords. We would set the AuthUserFile field to the following:

AuthUserFile /webusers/jsmith/member-passwords

Building a username/password file

The username/password file is just a plain text file, that using colon delimiters to separate fields. A username/password file is made up of the following fields:


The username field is the name of the user you wish to allow access to an area. The crypted-password field is the encrypted version of the password you wish to use with this user, to allow access to an area.

This file can be created using a text editor (in Microsoft Windows, it's best to use wordpad to create and edit this file). Because the password field needs to be the encrypted version, we need a program or something to convert the plain text password to the encrypted version. There are a couple of methods you can use to do this, but the easiest is to use the following link:

In the Username and Password fields, enter in the username and password you wish to use. Then click the "Submit-It" button. You will then be brought to a page which will look like the following:


In this case, the username was "jsmith", and the password I put in was "badpassword". You can see here the password got encrypted to
qswoBji.QimIY. Next, copy this line and paste it into the password file you are creating. If you have multiple accounts, repeat this process, putting each account on its own separate line. Once the password file is done and contains all the usernames and passwords you want, save the file as the filename you want (i.e. member-passwords).

Uploading the .htaccess and password file and restricting access to web directories

The next step will be to upload the .htaccess file and password file to the appropriate directories, so that we can restrict access to a certain web directory. First thing is we will need a web directory that we wish to restrict access to. In this case, it will be the following directory:


Using an FTP client (like WS-FTP), we are going to upload the .htaccess file into:


directory. The reason for this, is because this is the directory we wish to protect. If we had different directories we want to protect with separate user files, we would put a configured .htaccess file into each directory we wanted to protect. After uploading the .htaccess file, we then upload the member-passwords file into the:


directory. The reason we want to put the member-passwords file into the /webusers/jsmith directory is because only content in the public_html directory is accessible from the internet. And by putting the password file into home directory, jsmith (the directory before public_html), we prevent people on the internet from being able to download the password file.

Once these files have been uploaded, whenever a user attempts to access any content or directories in the members-only directory, they will need a valid user name and password that matches what's in the members-passwords file. If you need a FTP program for the purpose of uploading your .htaccess and password file, you can download one at the following web address:

Issue creating .htaccess file in Microsoft Windows

If you are having issues creating a .htaccess in Microsoft Windows, the following procedure may provide a solution:

1. Instead of creating a file called .htaccess, call the something different like my-htaccess (with no period in the front).
2. Once this "my-htaccess" file has been configured, upload it to the directory to restrict access to.
3. Once this file in the correct directory on the server, using your FTP client (like WS-FTP), rename the file from my-htaccess to .htaccess.