Password protection with Apache is really a piece of cake.

First you’ll need to create a password file. It’s best practice to place this outside of your web root so people can’t access it. I keep all of mine in /home/user/.

You can call the password file whatever you want, the most common is simply .htpasswd. The file is a simple database of usernames and password hashes. Each user has its own line; the user user with password pass might1 have the following entry:


The easiest way to encrypt pass, is to visit Just enter the username and password, and it’ll create the exact line you should insert into your password file. (Optionally, you could use the htpasswd command if you have shell access and your web host has enabled it.)

OK - so you have the password file (/home/user/.htpasswd). Now you must create a file called .htaccess in the directory you want to protect (in the example we’ll use /home/user/www/secretstuff).

Add these lines:

AuthUserFile /home/user/.htpasswd
AuthName "Secret Stuff"
AuthType Basic
<Limit GET>
require valid-user

Save it, and then browse to, and you should be prompted for a username and password.


  1. Note: The hash will NOT always be the same - meaning if you encrypt the same string twice, you could get two entirely different hashes. This does not, however, affect Apache in any way.