How to Password Protect Web Directories in Apache Using .htaccess File

When you manage online projects, you often need to limit access to that project in order to protect it against the outside world. There are might be different reasons for that – for example you want to prevent search engine crawlers from accessing your site while it is still in development phase.

Password Protect Apache Web Directories

Password Protect Apache Web Directories

In this tutorial, I am going to show you how to password protected different web sites directories in Apache web server. There are many ways you can achieve this, but we will review two of them which are most commonly used.

The first method configures password protection directly in Apache’s configuration file, while the second one uses .htaccess file.


In order to setup password protection for your web directories, you will need to have:

  • A working Apache web server
  • The AllowOverride AuthConfig directive must be enabled in Apache configuration file.

Setup Apache Password Protected Directory

1. For this tutorial, we will be protecting the main web root directory /var/www/html.  To protect that directory, open your Apache’s configuration:

---------------- On RedHat/CentOS based systems ----------------
# vi /etc/httpd/conf/httpd.conf

---------------- On Debian/Ubuntu based systems ----------------
# nano /etc/apache2/sites-available/000-default.conf

2. Find the Apache Document directory root for /var/www/html and add the following things as suggested:

On Apache 2.2 Version

<Directory /var/www/html> 
Options Indexes Includes FollowSymLinks MultiViews 
AllowOverride All
Order allow,deny
Allow from all 

On Apache 2.4 Version

<Directory /var/www/html> 
Options Indexes Includes FollowSymLinks MultiViews 
AllowOverride All 
Require all granted 
Apache 2.4: Enable AllowOverride All

Apache 2.4: Enable AllowOverride All

3. Save the file and restart Apache by using the following command:

--------------- On Systemd -------------------
# systemctl restart httpd         [On RedHat based systems]
# systemctl restart apache2       [On Debian based systems]

--------------- On SysV init -----------------
# service httpd restart           [On RedHat based systems]
# service apache2 restart         [On Debian based systems]

4. Now we will use the htpasswd command to generate username and password for our protected directory. This command is used to manage user files for basic authentication.

The general syntax of the command is:

# htpasswd -c filename username

The -c option specifies the file that will keep the encrypted password and username specifies the user for the authentication.

5. Our password file needs to be located out of the Apache’s web accessible directory so that it is well protected. For that purpose, we will create new directory:

# mkdir /home/tecmint

6. After that we will generate our username and password that will be stored in that directory:

# htpasswd -c /home/tecmint/webpass tecmint

Once you execute this command you will have to enter a password for our new user "tecmint" twice:

Create Apache User Password

Create Apache User Password

After that we will need to make sure that Apache is able to read the “webpass” file. For that purpose, you will need to change the ownership of that file with the following command:

---------------- On RedHat/CentOS based systems ----------------
# chown apache: /home/tecmint/webpass
# chmod 640 /home/tecmint/webpass
---------------- On Debian/Ubuntu based systems ----------------
# chown www-data /home/tecmint/webpass
# chmod 640 /home/tecmint/webpass

7. At this point our new user and password are ready. Now we need to tell Apache to request password when accessing our targeted directory. For that purpose, create file called .htaccess in /var/www/html:

# vi /var/www/html/.htaccess

Add the following code in it:

AuthType Basic
AuthName "Restricted Access"
AuthUserFile /home/tecmint/webpass
Require user tecmint
Create Apache Restricted Access

Create Apache Restricted Access

8. Now save the file and put your setup to the test. Open your browser and enter your IP address or domain name in the web browser, for example:


You should be prompted for username and password:

Apache Password Protected Directory Authentication

Apache Password Protected Directory Authentication

Enter the username and password that you set to proceed to your page.

Additional Notes

If you are using shared hosting, you will most probably not have access to the Apache configuration file. However most hosting companies have enabled the “AllowOverride All” option by default. This means that you will only need to generate the username and password and then select directory that you wish to protect. This significantly eases your task.


I hope that you found this tutorial useful and help you achieve your goal. If you have any questions or comments, please do not hesitate to post them in the section below.

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

Marin Todorov

I am a bachelor in computer science and a Linux Foundation Certified System Administrator. Currently working as a Senior Technical support in the hosting industry. In my free time I like testing new software and inline skating.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide
The Complete Linux System Administrator Bundle
Become an Ethical Hacker Bonus Bundle

You may also like...

7 Responses

  1. Madhav says:
    Options Indexes Includes FollowSymLinks MultiViews 
    AllowOverride All
    Allow from all 

    I found that in above code the Order word is missing. That is Order allow,deny.

  2. Margarida Brito says:

    Thanks. Much appreciated. Very simple and very easy to follow.
    Just what I needed.

  3. Erick says:

    thanks man, you’ve help me a lot, works nicely on Debian 8

  4. Jelle Langbroek says:

    Thanks for your article.
    I was wondering what the preferred method is for using MySQL instead of htpasswd to store/read passwords. Since Apache2.4 it doesn’t work anymore because of deprecated modules I believe. What’s the best method now?

  5. Aaron Kili K says:

    Thanks for the tutorial, works well on Ubuntu 14.04

Leave a Reply to Margarida Brito Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.