Top Nav

How To Password Protect an Apache Website using .htaccess

If you’re running your Website with Apache, securing the site with a password is a simple process. I recently ran through the process on a Windows box (Majority of the shots below) however the steps are pretty much the same for Windows or Linux Apache sites.

Step 1: Configure your .htaccess file

All the work will be done using your .htaccess file. You can find this file at the root of most Apache Websites.

Shot was taken from a vanilla install of WordPress running on Windows 2003 Server:


The .htaccess file is checked by Apache before displaying web pages. Typically it’s used for ReWrites or ReDirects however you can also use it to leverage the built-in security features of Apache.

So, the first step is to add a few parameters to the file. Below is a sample .htaccess file. (TIP: I use notepad++ to edit most PHP and related file)

AuthUserFile c:apachesecurity.htpasswd
AuthName “Please Enter User & PW”
AuthType Basic
require valid-user

Some Explanation:

AuthUserFile: APACHE needs the location of the User/Password file. Just enter the full path to your password database file as shown above. The example above is taken from my Windows box. If you’re running Linux, it would be something like: AuthUserFile /full/path/to/.htpasswd

AuthName: This field defines the Title and Text for the popup box which will be requesting the Username and PW. You can make this ANYTHING you want. Here’s an example on my test box:

Shot was taken from a FireFox browser:


AuthType: This field tells Apache what type of Authentication is being used. In almost all cases, “Basic” is just fine (and the most common).

Require valid-user: This last command lets Apache know WHO is allowed. By using “valid-user“, you are telling Apache ANYONE is allowed to authenticate if they have a valid username and password.

If you prefer to be more EXACT, you can specify a specific USER or USERS. This command would look like:

Require user mrgroove groovyguest

In this case, only the users mrgroove and groovyguest would be allowed to enter the page/directory you’re protecting (after providing the correct username and password of course). All other users (including valid ones) will be denied access. If you want to allow more users, just separate them with spaces.

So, now that we have all the config settings made, here’s what your finished .htaccess file should look like:

Shot was taken from a Windows 2003 Server box running WordPress:

groovyPost .htaccess