- What Is an htaccess File?
- What Is an htpasswd File?
- Where Should the htpasswd File Be Stored?
- htaccess Password Protection Example
- Can You Protect Only Subfolders?
- Password Protection for Individual Domains or Subdomains
- Which Web Servers Support htaccess?
- Advantages and Disadvantages of htaccess Password Protection
- How Secure Is This Password Protection?
- Alternatives to htaccess Password Protection
- IP Whitelist
- Maintenance Mode Plugins
- Server Side Authentication in Nginx
- Password Protection via Hosting Panel
- Passkey or Token Based Access
A simple way to enable maintenance mode or private site access
When you are developing a website, updating content or preparing a client preview, the site should not be publicly visible. A very common and fast solution is password protection through htaccess and htpasswd. This method works on the server level and blocks visitors from accessing anything without valid login credentials.
In this guide, you will learn what htaccess and htpasswd files are, why they are used, how to set them up correctly and which alternatives you can use depending on your hosting environment. After reading this article, you will be able to protect your entire website or individual subfolders using htaccess authentication.
What Is an htaccess File?
The htaccess file is a configuration file used mainly with Apache and LiteSpeed web servers. It is placed inside your website folder and allows you to define server side rules without editing the global server configuration.
Typical htaccess functions include:
- enabling password protection
- setting up redirects and rewrite rules
- configuring caching settings
- defining custom error pages
- allowing or blocking specific IP addresses
For password protection, the htaccess file is ideal because it is quick to set up and does not require root access to the server.
What Is an htpasswd File?
The htpasswd file contains the usernames and encrypted passwords used for authentication. The passwords are not stored in plain text but in a hashed format such as MD5, SHA or bcrypt. This file should never be accessible from the public web.
Example:
user:secret
test:$apr1$547x6czg$ZOB.RvFfT2JdN1KfOvuUF0
Important:
The password must always be stored encrypted. Never save a plain text password in the htpasswd file.
You can generate hashed passwords using:
- htpasswd generator tools
- Linux console: htpasswd -nb username password
- Online tools (secure connection only and not recommended for production)
Where Should the htpasswd File Be Stored?
For security reasons, the htpasswd file should always be stored outside the public webroot. This prevents direct access through the browser.
Recommended locations:
/home/username/secure/.htpasswd
On typical hosting setups:
/var/www/.secrets/htpasswd
As long as the file is not inside /public_html, /www or /htdocs, the server can read it but visitors cannot access it.
htaccess Password Protection Example
A basic htaccess setup for password protection looks like this:
AuthUserFile /home/user/secure/.htpasswd
AuthGroupFile /dev/null
AuthName "Protected Area"
AuthType Basic
Require valid-user
Once the file is saved inside the target directory, the entire folder and all subfolders become protected.
Can You Protect Only Subfolders?
Yes, and this is one of the most common use cases. If you have a staging or preview version in a subfolder like /preview or /beta, simply place a separate htaccess file inside that folder. The rest of the website remains publicly accessible.
Password Protection for Individual Domains or Subdomains
You can also protect specific domains or subdomains. Each domain can have its own htaccess configuration, which allows you to protect a full staging site while keeping your main site public.
Example based on domain rules:
SetEnvIf Host my-domain.test passreq
AuthType Basic
AuthName "Password Required"
AuthUserFile /home/user1234/mywebsite/htpwd/.htpasswd
Require valid-user
Order allow,deny
Allow from all
Deny from env=passreq
Satisfy any
This setup makes password protection depend on the domain name used.
Which Web Servers Support htaccess?
htaccess password protection works with:
- Apache
- LiteSpeed
- OpenLiteSpeed (limited support)
htaccess does not work with:
- Nginx
- Microsoft IIS
For Nginx, authentication must be configured in the server block (server.conf), not via htaccess.
Advantages and Disadvantages of htaccess Password Protection
| Advantage | Disadvantage |
|---|---|
| Very easy to set up | Not supported by Nginx without server configuration access |
| No plugins or software needed | Login box cannot be styled |
| Server side authentication | Basic Auth sends credentials base64 encoded, not encrypted |
| Ideal for maintenance mode or private previews | Requires HTTPS to be secure |
| Works for full sites or subfolders | Can interfere with caching or performance tools |
Important:
Always use HTTPS, because HTTP does not encrypt the transmitted username and password.
How Secure Is This Password Protection?
Properly configured, Basic Auth is secure enough for internal tools, preview pages or development environments. It is not designed as a full authentication system for web applications or members areas.
For maximum security:
- always use HTTPS
- generate bcrypt passwords
- store htpasswd outside the webroot
- optionally combine with an IP whitelist
Alternatives to htaccess Password Protection
IP Whitelist
Allow access only from specific IP addresses:
Order deny,allow
Deny from all
Allow from 123.123.123.123
Maintenance Mode Plugins
For CMS systems like WordPress, Joomla or Shopware, there are plugins that show a custom maintenance page while the admin area remains accessible.
Server Side Authentication in Nginx
Nginx uses a different approach and requires configuration inside the server block.
Example:
auth_basic "Restricted Area";
auth_basic_user_file /etc/nginx/.htpasswd;
Password Protection via Hosting Panel
Panels like Plesk and cPanel have built in tools to protect folders with a password, without manually editing files.
Passkey or Token Based Access
Modern systems use secured links with tokens or signed URLs instead of manual password prompts.
