Home » Password Protect Your Apache Server

Protect a directory on an apache web server by adding a password that would require a user to authenticate themselves and thus would give them authorization to access a protected folder.


  • Apache HTTP Server ^2.4
  • .htaccess file

The first attempt is to try to use the directory configuration file (.htaccess file) to make the server request for a password for anyone who is trying to access a folder inside an apache web server.

Step 1.

Create a text password file. It is important to note that this file should be saved in a place not accessible from the web.

If say for example the documents are served out of /var/www/html, the text password file can be saved inside /var/www/passwd folder.

  • Create the folder where the text password file will be saved.
    mkdir /var/www/passwd
  • Create the text password file.
    htpasswd -c /var/www/passwd/passwords protected_user


  • passwords is the password text file.
  • protected_user is the username when signing in.

Step 2.

Enter the password and confirm it when asked.

New password:
Re-type new password:
Adding password for user protected_user

Step 3.

Let’s say for example the password protection will be applied to the directory /var/www/html/password_protected. Therefore inside that folder, create an .htaccess file and add the following codes. If there is an existing .htaccess file, just append the following codes into it.

AuthType Basic
AuthName "Password Protected"
AuthBasicProvider file
AuthUserFile "/var/www/passwd/passwords"
Require user protected_user


  • Basic is the method used to authenticate the user.
  • Password Protected is the realm used in the authentication.
  • file is the source provider used in the authentication.
  • /var/www/passwd/passwords is the path to the text password file.
  • protected_user is allowed user to access the directory.


Browse the protected folder and input the correct credentials.


Test Again.

This time browse the protected folder and click the cancel button.



  • Basic authentication sends the password from the client to the server unencrypted.
  • Unless accompanied by mod_ssl, do not use this method for highly sensitive data.






Leave a Reply

Your email address will not be published. Required fields are marked *