How to Password Protect an Apache Website using .htaccess

If you’re running your Website with Apache, securing the site with a password is a simple process. I recently ran through the process on a Windows box (Majority of the shots below) however the steps are pretty much the same for Windows or Linux Apache sites.

Step 1: Configure your .htaccess file

All the work will be done using your .htaccess file. You can find this file at the root of most Apache Websites.

The screenshot was taken from a vanilla install of WordPress running on Windows 2003 Server:


The .htaccess file is checked by Apache before displaying web pages. Typically it’s used for ReWrites or ReDirects however you can also use it to leverage the built-in security features of Apache.

So, the first step is to add a few parameters to the file. Below is a sample .htaccess file. (TIP: I use notepad++ to edit most PHP and related file)

AuthUserFile c:apachesecurity.htpasswd
AuthName "Please Enter User & PW"
AuthType Basic
require valid-user

Some Explanation:

AuthUserFile: APACHE needs the location of the User/Password file. Just enter the full path to your password database file as shown above. The example above is taken from my Windows box. If you’re running Linux, it would be something like: AuthUserFile /full/path/to/.htpasswd

AuthName: This field defines the Title and Text for the popup box which will be requesting the Username and PW. You can make this ANYTHING you want. Here’s an example on my test box:


AuthType: This field tells Apache what type of Authentication is being used. In almost all cases, “Basic” is just fine (and the most common).

Require valid-user: This last command lets Apache know WHO is allowed. By using “valid-user“, you are telling Apache ANYONE is allowed to authenticate if they have a valid username and password.

If you prefer to be more EXACT, you can specify a specific USER or USERS. This command would look like:

Require user mrgroove groovyguest

In this case, only the users mrgroove and groovyguest would be allowed to enter the page/directory you’re protecting (after providing the correct username and password of course). All other users (including valid ones) will be denied access. If you want to allow more users, just separate them with spaces.

So, now that we have all the config settings made, here’s what your finished .htaccess file should look like:

Screenshot is taken from a Windows 2003 Server box running WordPress:

groovyPost .htaccess

Step 2: Create the .htpasswd file

Creating the .htpasswd file is a simple process. The file is nothing more than a text file containing a list of Users and their encrypted passwords. Each User string should be separated onto its line. Personally, I just use notepad++ or Windows Notepad to create the file.

Shot below is an example .htpasswd file with two users:


Although Apache doesn’t “require” you to encrypt the passwords, it’s a simple process for both Windows and Linux Systems.


Navigate to your Apache BIN folder (usually found at C:\Program Files\Apache Group\Apache2bin) and execute the htpasswd.exe tool to generate an MD5 encrypted Username/Password string. You can also use the tool to create the .htpasswd file for you (whatever works…). For all the details, just execute the help switch from the command line (htpasswd.exe /?).

In almost all cases, however, just execute the following command:

htpasswd -nb username password

Once the command is executed, the htpasswd.exe tool will output the User string with it’s encrypted the password.

Screenshot below is an example of executing the htpasswd.exe tool on Windows 2003 Server


Once you have the User String, copy it into your .htpasswd file.


Goto: to create your User strings with encrypted passwords. Very simple process.

Step 3: Verify Apache is configured properly *optional

By default, Apache has the correct Modules enabled. That being said, it never hurts to be a little proactive plus it’s a quick “check”.

Open your Apache httpd.conf file and verify the AUTH module is enabled:


If you find the module isn’t enabled, just correct it as shown above. Don’t forget; you need to restart Apache for changes to your httpd.conf to take effect.

That should take care of it. All done.

Tags: , , , ,



  1. Tony

    Great read. I was looking for the info on creating the crypto for Apache for Windows.

  2. prasanna

    Mr Groove . Is it possible to catch a plain password before it passed to .htpasswd file for verification. If so, Please letme know about it. I need in my project

    Thanq for posting a good and valid information

  3. MrGroove

    Welcome to the site Prasanna,

    I’ll do some digging but off-hand, I don’t have a solution for capturing the password being passed to Apache for Authentication. I’ll keep an eye out. Perhaps someone in the community can assist. Feel free to also post the question in the Forum

  4. lt

    Does anyone know how to get this to work on Vista? I had everything working fine on my XP machine but now I can’t get the password protection to work. All my pages/files are not password protected. When running the htpasswd from the command line I get the Vista security window popup (after I changed the Priviledge Level to Admin) but it doesn’t modify or create the password file.

  5. jignesh

    1) Does .htaccess create password protection for directory or for individual files ?
    Can we password protect individual files ? I mean, if there are files in different directories, do I need to create .htaccess in all these directories ? Now how does it work, if I want only few files in a directory as password protected and the other files I dont want password protected ? Do Ihave to keep all password protected files in dir in which I have .htaccess and the rest files in other directories. Is this the only way ?
    2) If I want more than one directory password protected, do I have to create .htaccess in all the directoriess which I want password protected ?
    3) If I have created .htaccess in one dir and there are sub dir in this dir, do all these sub dir also become password protcted ? Or do I need to create seperate .htaccess files for these sub dir ?

  6. jignesh

    “AuthUserFile c:apachesecurity.htpasswd”
    Is it not required to place “\” in the path ?
    Full Path is C:\apache\security\.htpasswd. Do we not need \ in the path ?

  7. Steve

    how to generate log for who (user name), when (Date/time) & from where (IP Address) protected directory/file are attempt to access?

    Please help me.

    Thank you,


  8. Lisa van den Brink

    How to password protect a research website on the Apache Server from a Mac operating system. Can it be done the same way?What do I need to do?

    Thank you

Leave a Reply

Your email address will not be published. Required fields are marked *


To Top