If you need to protect a directory with a username and password, one option is to use .htaccess and .htpasswd files.
The .htaccess file has many uses, such as redirecting web pages, restricting access to directories, etc. You can see more examples at Using rewrite rules in .htaccess.
The .htpasswd file stores usernames and passwords for each restriction. It’s important to remember that the .htaccess file created to restrict access must be located inside the directory you want to protect.
.htaccess
AuthUserFile /var/www/vhosts/domain.com/private/.htpasswd
AuthName ProtectedDirectory
AuthType Basic
require user DomainUser
The .htaccess above is a clear example of restriction. Let’s review the options step by step:
AuthUserFile /var/www/vhosts/domain.com/private/.htpasswd
Here you must indicate the absolute path to the .htpasswd file, which is where user access data is stored. This file should never be located inside the domain’s public folder (usually /httpdocs or /public_html), as that would be a serious security flaw allowing others to obtain user access data.
If for some reason you cannot place the .htpasswd file outside the public content, we recommend renaming it, e.g. .89lasa12, to make it harder for unwanted users to guess.
AuthName ProtectedDirectory
When you try to access the protected directory via your browser, a login window will appear asking for username and password, showing a message that you’re trying to access. You can customize this message by changing ProtectedDirectory to any text you want. It only affects the display, not functionality.
AuthType Basic
Specifies that authentication type is basic.
require user DomainUser
This line indicates that only user DomainUser can access the directory.
To add more users, you can do it like this:
require user DomainUser DomainUser2
There are many options for access control; for example, you can protect individual files like this:
AuthUserFile /var/www/vhosts/domain.com/private/.htaccess
AuthName ProtectedDirectory
AuthType Basic
<Files “filetoprotect.php”>
require user DomainUser
<Files>
.htpasswd
The .htpasswd file stores user credentials used to protect directories or files restricted via .htaccess.
In the following examples, we refer to this file as .htpasswd, but as mentioned before, you can name it however you like.
The data is stored in .htpasswd in the format user:password, each on a separate line:
DomainUser:AQTm0UkcUgb1M
DomainUser2:m1JcIlg0b23M
As you can see, passwords are encrypted by default if created with Apache’s htpasswd command. If you have an Apache server and SSH access, you can run the necessary commands to add users to the .htpasswd file.
Once inside, you can execute the command in different ways, depending on whether you want it to create the file automatically or display the data for manual entry:
htpasswd -nb DomainUser password
This line will display on screen the string you must manually add to your .htpasswd file.
htpasswd -cb .htpasswd DomainUser password
This line writes directly to the specified file (in this case .htpasswd, but you can specify another one).
Once the user has been added to the .htpasswd file and the .htaccess file configured, the directory or file should be protected by username and password.
In Apache’s official documentation, you can find more information about .htpasswd and .htaccess.