Password Protection of Website Directory (Folder)
This exercise is based on using a local testing server (WAMP) which runs the Apache server.
Password protection of a directory (folder) can allow only access to administrators and developers and prevent
users from accessing web pages and files in the folder. Traditionally, Telnet software is used to set up files to
restrict access to directories (folders), see end of this document. You can also use a web application, such as
www.htaccesstools.com, to generate files used to restrict access to a specific user (or list of users).
Alternatively, if you have a live website with a hosting service on the web, e.g. iPage.com, you may have to set
this up via a control panel or contact, e.g. by live chat, a technician for further instructions.
.Htaccess = hyper-text access;.htaccess files are read by the server, not the browser (enabling the browser
to read them can compromise security). .htaccess is part of the Apache system. The general user cannot view
or open the file in a browser. The web developer using an FTP client will be able to see the file listed in the
remote window (server folder). .htaccess files work with the server to override certain settings, most often
security settings
Create a .htpasswd password file






.htpasswd files are used when password protecting a website or a directory
It is recommended to name a password file .htpasswd – by default, Apache web server has this name
stored in its configuration settings.
The location of the .htpasswd file is specified in a second file: .htaccess
It is advisable to locate the password file outside the public directory of the website away from users
The actual passwords are encrypted using a complex algorithm. On Windows the passwords are
hashed using MD5, a cryptographic hash algorithm
There can be more than one username and password
The .htpasswd file contains username in plain text (unencrypted) and a hashed (encrypted) password, e.g. a
username kurt and a password, e.g. $apr1$dHjB0/..$mkTTbqwpK/0h/1$mkTTb
kurt:$apr1$dHjB0/..$mkTTbqwpK/0h/1$.mkTTb
An online web application .htpasswd file generator, www.htaccesstools.com/htpasswd-generator , can
generate an entry with user name and encrypted password (this needs to be copied and pasted to a file saved
as .htpasswd), e.g.
Username:
Password:
alansebrill
journey
Encrypted algorithm: alansebrill:$apr1$9.m5dEw/$CkD0Nwueiiv0JpmYbXlTr0
Create a configuration file .htaccess

The configuration file .htaccess needs to be available to take advantage of the Apache server restriction of
access to specific areas of the server.
www.htaccesstools.com/htaccess-authentication/ is an online web application which can help you
create the code for the .htaccess file. The code can also be typed using a text editor.
1. Create the .htaccess file using Dreamweaver or Notepad++ or a text editor, e.g.
AuthName a suitable name of your choice, e.g.Restricted
AuthType Basic
AuthUserFile /path/.htpasswd, e.g. /pages/.htpassword
require valid-user

AuthUserFile - where to locate a password file, such as .htpassword - to find the path upload a php file
(save as find_directory_path.php) to the folder and open this file in a browser; here is the code:
<?php
$dir = dirname(__FILE__);
echo "<p>Full path to this dir: " . $dir . "</p>";
echo "<p>Full path to a .htpasswd file in this dir: ".$dir ."/.htpasswd"."</p>";
?>
Then copy the full path to the .htaccess file (as see AuthUserFile), e.g.
2. Create the .htaccess file and upload to a web server using an ftp client, such as Dreamweaver. Make sure
the file does not get named .htaccess.txt
3. Upload the .htaccess file to the directory that you want to protect.
Using Telnet
This section is for interest if you know about using Telnet. If you have shell access, either via telnet or Secure Shell (SSH) you can use
this to connect to your web hosting account.
1.
Use telnet software and log into your shell account.
2.
Go to your home directory by using the command cd to switch you to your home directory.
3.
Then, type the following command (username should be a single word):
htpasswd -c .htpasswd username
4.
"-c" = create a new file, overwriting the existing file if present.
5.
You will then be prompted to enter the password for that user
6.
The htpasswd utility creates a file called .htpasswd in your current directory.
7.
Enter the command to view the content of the file:
cat .htpasswd
Example content:
8.
alansebrill:$apr1$9.m5dEw/$CkD0Nwueiiv0JpmYbXlTr0
Check the permissions on the file – enter the following on the command:
ls -al .htpasswd
Example output:
-rw-rw-rw- (...etc...) .htpasswd
rw = read/write, and the it is listed 3 times (1st: owner (you) of the file, 2nd: everyone in your group; 3rd: everyone with an
account on the machine). Remove the write permission from everyone except you, but allow others to read the file, using the
command:
chmod 644 .htpasswd
Move the password file to the location (path) defined in the .htaccess file. Use the command:
9.
mv .htpasswd path
Upload an index.pho or index.html file to the protected directory and open in a web browser. A prompt for a user name and
password should appear. Entering the username and password should allow the information to become viewable.
Password protection protects directories and not files. Passwords and user names are transmitted and can be intercepted. This password
protection facility is not suitable for protecting personal, private or confidential information; data is not encrypted in the directory with
this method.