Skip to content

Apache 2 – Password protecting a directory using .htaccess

Recently I was asked to set up a small e-commerce website and I wanted to ensure certain directories could only be accessed by those who needed to. One of those pages was phpmyadmin which if brute forced, could cause a lot of damage. Despite having a strong password for phpmyadmin, it only makes sense to hide it further behind a password prompt using .htaccess.

To begin with this was added to the .htaccess file in the directory we wish to protect.

AuthType Basic
AuthName "Restricted Files"
AuthUserFile /location/of/.htpasswd
Require valid-user

After which a .htpasswd file was generated. I chose to generate this file in a directory not accessible to the web.

htpasswd -c /location/of/.htpasswd username_of_choice

At this point you will be prompted to enter a password, and to then repeat that password. This may be repeated for as many users as you require, if more users are added bear in mind the -c switch clears the file each time, so consider removing it for subsequent users.

As always a lot more information on this is available on Apache documentation as well as in your terminal:

man htpasswd
No comments yet

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.