Setting up password protection (.htaccess) via SSH
Please use the “Print” function at the bottom of the page to create a PDF.
Valid for Web Hosting.
In this article, you will learn how to set up server-side password protection for your website.
With server-side password protection (HTTP Basic Authentication), you can effectively secure the directories on your website. Before the web server delivers content, it requests a username and password from the visitor. This method is significantly more secure than JavaScript solutions, as the check takes place directly on the server.
Note
Did you order your contract before September 15, 2025? Then you can also set up protection directly in your IONOS account. You can find more information on this in the article Setting up protected directories in webspace
Requirements
- An IONOS web hosting package with SSH access.
The principle briefly explained
For password protection, you need two files in the same directory of your webspace.
- .htpasswd: This is where the users and their encrypted passwords are stored.
- .htaccess: This file acts as a "gatekeeper". Each time the website is accessed, it checks whether the visitor has entered the correct access data from the .htpasswd.
Step 1: Determine target directory
There are often several websites in different folders in a webspace. To avoid accidentally blocking the wrong page, you must first check which folder your project is located in.
- Log in to your IONOS account.
Click on Menu > Domains & SSL in the title bar.
Click on the domain of the website you want to protect.
Search for the Target entry.
There you will see the home directory (e.g. /wordpress or /my-shop). Make a note of the name of this folder. In step 3, you must go to this specific folder.
Step 2: Establish SSH connection
To execute commands directly in your webspace, you must first establish an encrypted connection (SSH).
The following instructions show you how to establish an SSH connection. Select the appropriate instructions for your operating system:
macOS: Establishing an SSH connection using macOS
Linux: Establishing an SSH connection using Linux
Step 3: Change to the target directory
Once you have established the SSH connection, you will find yourself in the main directory of your webspace. You will usually see the folders of all your projects there.
Be careful if you have several websites: do not create the protection files directly in the main directory unless you want to lock all your websites with the same password. Instead, always switch to the folder of the specific website.
To navigate to the correct folder, use the following commands:
To display the existing folders, type ls (list) and press Enter.
ls
Change to the folder determined in step 1 (e.g. "my-shop") by entering the following command and confirming with the Enter key:
cd my-shop
Tip: You can press the Tab key after the first letters of the folder name to complete the name automatically.
Step 4: Create user and password file (.htpasswd)
Now create the .htpasswd file and create the first user.
Enter the following command and confirm with Enter. Replace <USERNAME> with the desired login name (e.g. admin or guest):
htpasswd -Bc .htpasswd <USERNAME>
- Press Enter.
- Enter the desired password and confirm with Enter. For security reasons, no characters or asterisks are displayed when entering the password. Simply enter the password "blind".
The .htpasswd file is created and the password is stored securely encrypted in it using bcrypt.
Step 5: Configure protection (create .htaccess)
For the protection to become active, you must tell the server exactly where the password file is located. To do this, it needs the absolute system path.
To determine the system path, enter pwd in the current directory and press Enter:
pwd
Copy the path to a text file. The structure of the path differs depending on the order date of your contract.
Example (for contracts ordered up to and including September 14, 2025):/customers/homepages/12/d12345678/htdocs
Example (for contracts ordered from September 15, 2025):
/home/www/public/my-shop
Now create the .htaccess file. To do this, open the Nano text editor by entering the following command and confirming with the Enter key:
nano .htaccess
Copy the following block into the editor:
AuthType Basic
AuthName "Protected area"
AuthUserFile /PATH/TO/YOUR/FILE/.htpasswd
Require valid-userTo adjust the path, navigate to the AuthUserFile line using the arrow keys. Delete the placeholder /PATH/TO/YOUR/FILE/.htpasswd and insert the path that you determined above with pwd, supplemented by /.htpasswd.
The line should look like this at the end:
Example (for contracts ordered up to and including September 14, 2025):AuthUserFile /customers/homepages/12/d12345678/htdocs/my-shop/.htpasswd
Example (for contracts ordered from September 15, 2025):
AuthUserFile /home/www/public/my-shop/.htpasswd
- To save the file, press Ctrl + O (Save), confirm with Enter and then press Ctrl + X (Exit).
Password protection is now immediately active.
Step 6: Testing
To test the password protection, complete the following:
Open your browser and navigate to your website. A login window should now open.
Enter the username and password from step 4 in the login window.
If the page loads, the setup was successful. If not, read the "Troubleshooting" section and carry out the configuration steps again if necessary.
Optional: Add additional users
You can add more users to your password file at any time:
Change to the directory in which you have set up password protection (see step 3 above: Change to the target directory).
Enter the passwd command according to the following scheme:
Please Note
If you add additional users, never use the "passwd" command with the -c (or -Bc) option. The "c" stands for "create" (create new). If you use this option, your existing file will be overwritten and all previous users will be deleted.
htpasswd -B .htpasswd <USERNAME>
Before executing, replace the placeholder <USERNAME> with the name of the user you want to add.
Troubleshooting
Error 500 (Internal Server Error)
If you receive the error message 500 after activating password protection on your site, this usually indicates an error in the .htaccess file.
- Cause: The most common cause is that the path for AuthUserFile is not 100% correct. Therefore, check it again with pwd.
- Solution: To make the page accessible again, delete the .htaccess via FTP or SSH (rm .htaccess) and then repeat step 5.
No password request
If no password is requested, the .htaccess is probably in the wrong folder. Therefore, check whether you are in the directory of the website (see steps 1 and 3).
Content
- The principle briefly explained
- Step 1: Determine target directory
- Step 2: Establish SSH connection
- Step 3: Change to the target directory
- Step 4: Create user and password file (.htpasswd)
- Step 5: Configure protection (create .htaccess)
- Step 6: Testing
- Optional: Add additional users
- Troubleshooting
- To top