Help Centre
Home Hosting Other Scripting and Programming Languages

Setting up password protection using .htaccess and SSH

This article describes how to set up a password-protected area for your website using an .htaccess file.

With server-side password protection, the web server carries out the authentication itself. This method is more secure than client-side password protection (e.g. with JavaScript), which is executed in the browser and is therefore easier to bypass.

Requirement

You will need a hosting product with SSH access for these instructions.

Note

The following instructions require basic knowledge of SSH, the Linux command line, and the use of SFTP (Secure File Transfer Protocol) for file transfer to the website's webspace.

No experience with SSH and SFTP? If you ordered your plan before September 11, 2025, your IONOS account offers a more user-friendly alternative: you can set up server-side password protection even without this prior technical knowledge. You can find detailed information in the article Setting up protected directories in webspace.

Overview: How to set up password protection

The setup takes place in three steps:

  • You create a password file with the desired users.
  • You create an .htacces file to configure the password protection.
  • You activate the password protection.

The individual steps are described in detail below.

Create password file (.htpasswd)

For the password protection to work, a password file is required that contains the authorised users with the corresponding passwords. Use the following steps to create a password file with the name .htpasswd that contains your first user:

  • Log in to your web space or server via SSH. You can find detailed information in the article: Connecting to your webspace via Secure Shell (SSH) using PuTTY.

  • Enter the htpasswd command in the terminal window according to the following scheme:

    htpasswd -Bc .htpasswd <user>

    Replace the placeholder <user> in the command with the name of the user you want to create. For example, to create the user jdoe , enter the following command.

    htpasswd -Bc .htpasswd jdoe

  • Execute the command by pressing the Enter key. 

    You will now be prompted to specify the user password.
  • Enter the desired password and confirm with Enter.

    A password file with the name .htpasswd is created, which contains the user name and password. The password is stored in encrypted form and can therefore no longer be viewed later. The cryptographic hash function bcrypt, which was specially developed for storing passwords, is used for secure encryption.

Create .htaccess file

  • Open a text editor on your computer (e.g. Notepad) and copy the following lines of code into it:

    AuthType Basic
    AuthName "Enter your access data"
    AuthUserFile /kunden/homepages/xx/xxxxxxxxx/htdocs/.htpasswd
    require user username

  • Adapt the code to your project:
    • The AuthName line contains the text in quotation marks that is displayed as the title for the password prompt dialog box. You can change this text as you wish.

    • The AuthUserFile line must contain the full path to your password file. 
      If you are connected to your web space via SSH, you can display the path to your web space by entering the command pwd in the terminal window and then pressing Enter.

      (uiserver):u123456789:~$ pwd
      /customers/homepages/12/d12345678/htdocs

    • After require user , enter the user that you have created with the password file. Pay attention to the correct capitalisation.

    • The fully configured .htaccess file would then look like this, for example:

      AuthType Basic
      AuthName "Enter your access data"
      AuthUserFile /kunden/homepages/12/d12345678/htdocs/.htpasswd
      require user jdoe

  • Save the file with the name .htaccess.

Activate password protection

To activate password protection, upload the prepared .htaccess file via FTP to your webspace in the directory to be protected. If you want the password protection to apply to the entire website, upload the .htaccess file to the root directory of your website.

The directory protection is active immediately. The next time you open the directory or page in the browser, you will receive the login prompt.

Optional: Add further users

You can add more users to your password file at any time.

To add a user, execute the htpasswd command in the terminal window according to the following scheme:

htpasswd -B .htpasswd <New_User>

Before executing, replace the placeholder <New_User> with the name of the user you want to add. For example, to add the user janed to your password file, enter the following command:

htpasswd -B .htpasswd janed

Please Note

Pay attention to the correct spelling of the command. When adding further users, only the parameter -B as in the examples above may be passed to the htpasswd command. The -Bc parameter, as used when creating the password file, must not be used at this point. Otherwise, your existing users will be deleted as the password file will be recreated.

Content