Last updated December 6th, 2023 00:18
If you actively manage a website, there may come a time when you want to protect the content of various folders on FTP using a login and password. And if you have web hosting on a Linux server, it is more or less recommended to use the .htaccess file for this purpose. So, today’s article topic will be “Enhance Security: The Best Use of .htaccess in Directory Protection“. Let’s take a look at a few steps on how to achieve this. It’s not as complicated as it may seem.
Enhance Security: The best use of .htaccess in Directory Protection
To protect any directory using a login and password, you will need two files. One file defines the actual security, which is the .htaccess file, and the other file stores the login credentials, known as .htpasswd. It is generally recommended to keep both files separate on FTP. Therefore, the best practice is to create the .htaccess file in the directory you want to password-protect, and then create the .htpasswd file in a different directory, preferably one that is not accessible through a web browser but only locally through FTP.
The .htaccess file and its directives
Now let’s take a look at the directives you need to insert into the .htaccess file to enforce password protection. This file must be placed in the directory that will be secured with a login and password. So, create the .htaccess file in the desired directory on FTP and add the following directives:
AuthType Basic
AuthName "Please log in"
AuthUserFile /path/to/file/.htpasswd
Require valid-user
As you can notice, the .htaccess file contains the prompt “Please log in.” You can customize this prompt according to your preferences. The second important part of the file is the definition of the path to the second part with the password and login, which is the .htpasswd file. This path is filled into the file as an absolute path.
An absolute path includes the complete path from the root directory of your server. If you don’t know such a path, it can be determined using a PHP script, assuming that the folder is accessible through a web browser. The script for finding the absolute path is very simple. Place a second file named path.php in the folder with the .htpasswd file. For example, on FTP, create a folder named “security” and place the .htpasswd file and the path.php file inside it. Insert the following PHP script into the path.php file:
<?php
echo dirname(__FILE__);
?>
If you now call the path.php script in the browser (yourdomain.tld/security/path.php), it will display its absolute path. You can use this path in the .htaccess file. It can then look like this:
AuthType Basic
AuthName "Please, log in."
AuthUserFile /home/user/public_html/yourdomain.tld/security/.htpasswd
Require valid-user
The .htpasswd file and its content
You already have the .htaccess file defined and saved in the directory you want to password-protect. If we use the example mentioned above, we will have a folder named “security” on FTP, where we will now save the .htpasswd file with the password and login. The content of the .htpasswd file is very simple:
<user>:<password>
Instead of “<user>“, insert your login, and instead of “<password>“, insert the password hash. The password will be encrypted using base64. Therefore, find any online tool for generating encrypted passwords using base64 on the internet. One example is available here: https://www.base64encode.org/. Insert your password into the tool and encrypt it. For the example, let’s use the password “123456admin“.
The tool has now generated a hash for us, which is MTIzNDU2YWRtaW4=. With this, we can create the complete .htpasswd file, which will ultimately look like this:
admin:MTIzNDU2YWRtaW4=
As you can see, the resulting directory is now protected with the login “admin” and the password “123456admin“. If you want to password-protect the directory for multiple users, simply add as many lines as needed:
<user1>:<heslo>
<user2>:<heslo>
<user3>:<heslo>
<user4>:<heslo>
admin:MTIzNDU2YWRtaW4=
john:ZDM0NWRzYWQ2YWRtZAo=
josef:ZmYzNDVzZGQ2YWRtZAo=
karel:Y2ZnYnY1c2RkNmFkZmd0Cg==
marie:amppa3NkZDZhZGZnbHAK
Enhance Security: The best use of .htaccess in Directory Protection
Conclusion
As you can see, using these two files, you have been able to password-protect any directory on FTP using a login and password. If I refer to our example again, you can secure a directory like “/administration” by placing the .htaccess file there and using the login and password from the “/security/.htpasswd” file. The entire process, although it may seem complicated when written like this, is not significantly complex. If you need any assistance, the comments under the article are open for discussion.
The website is created with care for the included information. I strive to provide high-quality and useful content that helps or inspires others. If you are satisfied with my work and would like to support me, you can do so through simple options.
Subscribe to the Newsletter
Stay informed! Join our newsletter subscription and be the first to receive the latest information directly to your email inbox. Follow updates, exclusive events, and inspiring content, all delivered straight to your email.
