Although there are many uses for a .htaccess file, by far the most popular, and probably most useful, is being able to reliably password protect directories on websites. Although JavaScript can also be used to do this, only .htaccess has total security, because someone must know the password to get into the directory; there are no 'back doors'.

Password protection requires two files. The first is the .htaccess file that lives in the directory where the access will be granted or limited. The second is the .htpasswd file which can live in any location within the server.

Start off by creating a .htpasswd file the same why you would create a .htaccess file. (If you are new to .htaccess files, please read the Introduction to .htaccess files tutorial to find out how to use and create .htaccess files.)

Next enter your username and password in the following form on the first line of the .htpasswd file.

username: password

Once that is done, the username and password have to be encrypted, otherwise this information will be viewable to anyone wishing to view it. Visit http://www.euronet.nl/~arnow/htpasswd and enter your username and password you would like to use in the form. Click calculate to get the encrypted version. Then copy and paste this encrypted version in place of the viewable version in the .htpasswd file.

Now you need to add the following to your .htaccess file.

AuthName "Area Name"
AuthType Basic
AuthUserFile /full/path/to/.htpasswd
Require valid-user

There are a few parts of this which you will need to change for your site. You should replace "Area Name" with the name of the part of the site you are protecting e.g. "Members Area".

The /full/path/to/.htpasswd should be changed to reflect the full server path to the .htpasswd file. (If you do not know what the full path to your webspace is, contact your system administrator for details.)

Finally, if you haven't done so already, place the .htaccess file in the directory you would like to protect.