How to Create Password Protected Directory for Confidential Material

One important thing to do is to create password protected directories for confidential material that’s not available to public, but needs to be shared among team members. In this post I’ll go through how to create .htaccess files to protect your game files. I’m not going to go very deep on usage of .htaccess files in general, but I will tell you the basics you need to know to be able to keep unwanted people from your secret material. There’s also a small script that helps creating crypted password for .htaccess files. To be able to use this information, your web hosting provider must allow usage of .htaccess files for password protection.

Basically the system is done like this. First you create a folder in your web server you want to protect (using for example some FTP program like SmartFTP. After you’ve created the folder you will need to put “password file” in your server, and then a .htaccess file to the directory you want to protect.

Step 1 – Create a password file
First you need to create a password file. Password file has no extension (like .txt or .exe), it’s simply a file that you can name like “mypassword”. There’s only one line in our password file. The idea of the password file is to store all usernames and passwords that are allowed to use your protected folder.

I made a small script to help you create crypted password: use this script to create line for your password file.

For example, try using the script above and put “testuser” and “testpass” to the username and password boxes. Then click “crypt password”. You should see a line like “testuser:$1$hKoP5FiQ$AMWwZ./TJusJX4oCCT9zs.” or something. Copy & paste that line to your “mypassword” file.

Step 2 – Put the password file in your server home directory
When you take FTP connection to your web server, you should see file structure like:



Put your “mypassword” file with these files. After you’ve done this, your home directory should look something like:



Now you’ve uploaded the file and can proceed to the next step.

Step 3 – Create .htaccess file
The next step is to create a .htaccess file. Just open your editor and create a file named “.htaccess” (if your computer doesn’t allow you creating .htaccess file, then just create a file called “htaccess” without the dot in the beginning).

The contents of the file should be something like this:

AuthType Basic
AuthName “Protected folder”
AuthUserFile /home/someuser/mypassword
Require valid-user

Replace “someuser” to match your web hosting account name. Like for example, if you have own gamescompany.com then your web service provider might have created you web hosting account with username “gamescom”. Then your AuthUserFile line could look like this: “AuthUserFile /home/gamescom/mypassword”

Depending on your web host, the file content might be bit different. Google or check out wikipedia if you run into some problems. But for now, just create the file.

Step 4 – Create password protected folder and move .htaccess file there
Now you are ready to create a folder to your web server. Create a folder named “protected” and upload the .htaccess file into that folder. If you had to create htaccess file (without a dot in the beginning, then rename your “htaccess” file to “.htaccess” after you have uploaded it to the server).

Step 5 – All done
Now you can try testing your password protected folder. Simply go to www.yourwebsite.com/protected/ and it should ask for an username and password. Type “testuser” and “testpass” (the username and password you crypted in step 1) and you should be able to login. If the system asks password several times, type them several times (it’s bit picky whether you use “protected” or “protected/” in the URL) and you should be able to get in.

In case you encounter problems, check the following:

  • Make sure you typed your username and password correctly
  • Make sure you generated valid username and password (feel free to try crypting again if things don’t seem to work in the first time)
  • Make sure your .htaccess file is valid (consult your web hosting service provider in order to learn the valid format for it)

When you get things working, you can upload stuff in protected folders and share documents with other team members – safely.

Juuso Hietalahti


  1. I want to create and XHTML page with a form to signin to the password protected pages instead of having to signin on the popup. How can I make a form work with the .htaccess file?

  2. I just started with godaddy, and I don’t see a link in the Control panel for password-protected directories. From what I see, .htaccess files are only available on the linux-hosted side, and password protecting is available if you are using godaddy’s website builder.

    I’m creating my pages in front page, but uploading using filezilla.
    anyone know if i could continue to do this if i switched to linux hosted ?

  3. It should also be noted that this is the Apache way of doing things.
    It wont work if you have your webserver hosted on a windows box running IIS, but then if you have your website hosted on a box like that, you deserve everything you get :)

  4. If you use cPanel then there is an option “Password Protect Directories” which allows you to do this. I believe that it uses the same method under the hood.

Comments are closed.