Enhance Security: The best use of .htaccess in Directory Protection

Last updated December 6th, 2023 00:18

If you actively manage a website, there may come a time when you want to protect the content of various folders on FTP using a login and password. And if you have web hosting on a Linux server, it is more or less recommended to use the .htaccess file for this purpose. So, today’s article topic will be “Enhance Security: The Best Use of .htaccess in Directory Protection“. Let’s take a look at a few steps on how to achieve this. It’s not as complicated as it may seem.

Enhance Security: The best use of .htaccess in Directory Protection

To protect any directory using a login and password, you will need two files. One file defines the actual security, which is the .htaccess file, and the other file stores the login credentials, known as .htpasswd. It is generally recommended to keep both files separate on FTP. Therefore, the best practice is to create the .htaccess file in the directory you want to password-protect, and then create the .htpasswd file in a different directory, preferably one that is not accessible through a web browser but only locally through FTP.

The .htaccess file and its directives

Now let’s take a look at the directives you need to insert into the .htaccess file to enforce password protection. This file must be placed in the directory that will be secured with a login and password. So, create the .htaccess file in the desired directory on FTP and add the following directives:

					AuthType Basic
AuthName "Please log in"
AuthUserFile /path/to/file/.htpasswd
Require valid-user

As you can notice, the .htaccess file contains the prompt “Please log in.” You can customize this prompt according to your preferences. The second important part of the file is the definition of the path to the second part with the password and login, which is the .htpasswd file. This path is filled into the file as an absolute path.

An absolute path includes the complete path from the root directory of your server. If you don’t know such a path, it can be determined using a PHP script, assuming that the folder is accessible through a web browser. The script for finding the absolute path is very simple. Place a second file named path.php in the folder with the .htpasswd file. For example, on FTP, create a folder named “security” and place the .htpasswd file and the path.php file inside it. Insert the following PHP script into the path.php file:

echo dirname(__FILE__);

If you now call the path.php script in the browser (yourdomain.tld/security/path.php), it will display its absolute path. You can use this path in the .htaccess file. It can then look like this:

					AuthType Basic
AuthName "Please, log in."
AuthUserFile /home/user/public_html/yourdomain.tld/security/.htpasswd
Require valid-user

The .htpasswd file and its content

You already have the .htaccess file defined and saved in the directory you want to password-protect. If we use the example mentioned above, we will have a folder named “security” on FTP, where we will now save the .htpasswd file with the password and login. The content of the .htpasswd file is very simple:


Instead of “<user>“, insert your login, and instead of “<password>“, insert the password hash. The password will be encrypted using base64. Therefore, find any online tool for generating encrypted passwords using base64 on the internet. One example is available here: https://www.base64encode.org/. Insert your password into the tool and encrypt it. For the example, let’s use the password “123456admin“.

Enhance Security: The best use of .htaccess in Directory Protection

The tool has now generated a hash for us, which is MTIzNDU2YWRtaW4=. With this, we can create the complete .htpasswd file, which will ultimately look like this:


As you can see, the resulting directory is now protected with the login “admin” and the password “123456admin“. If you want to password-protect the directory for multiple users, simply add as many lines as needed:


Enhance Security: The best use of .htaccess in Directory Protection


As you can see, using these two files, you have been able to password-protect any directory on FTP using a login and password. If I refer to our example again, you can secure a directory like “/administration” by placing the .htaccess file there and using the login and password from the “/security/.htpasswd” file. The entire process, although it may seem complicated when written like this, is not significantly complex. If you need any assistance, the comments under the article are open for discussion.

The website is created with care for the included information. I strive to provide high-quality and useful content that helps or inspires others. If you are satisfied with my work and would like to support me, you can do so through simple options.

Byl pro Vás tento článek užitečný?

Klikni na počet hvězd pro hlasování.

Průměrné hodnocení. 0 / 5. Počet hlasování: 0

Zatím nehodnoceno! Buďte první

Jak užitečný vidíte tento článek.

Sledujte mě na sociálních médiích.

Je mi líto, že pro Vás nebyl článek užitečný.

Jak mohu vylepšit článek?

Řekněte mi, jak jej mohu zlepšit.

Upozornit na
0 Komentáře/ů
Vložené zpětné vazby.
Zobrazit všechny komentáře.

Pokud mi chcete napsat rychlou zprávu, využije, prosím, níže uvedený
kontaktní formulář. Děkuji.

Další Kontaktní údaje