How to Protect Web Hosted Folders with Passwords - dummies

How to Protect Web Hosted Folders with Passwords

By Peter Pollock

One of the most overlooked functions of server security is the capability to password-protect certain web hosted folders at the server level. In the UNIX/Linux operating system, you can protect folders and files using file permissions. You can add an additional level of protection for web users, allowing them access only to the pages in a folder if they have the correct password.

Sometimes people want to protect certain areas of their websites and they do this by using a password-protection system on the site itself: This is a perfectly valid way to achieve that level of protection. However, you do not need to add the extra software to do that through the website; the server already has the facility built in.

All web servers provide this functionality, and it is activated in a similar way across-the-board. In cPanel, you complete the following steps to add password protection to files and folders:

  1. Log into cPanel and scroll down to the Security section.

  2. Click Password Protect Directories.

  3. If a box pops up, select the domain that you want to protect.

  4. Select the folder you want to protect.

    In cPanel, directories can only be protected if they are directly in the web root. Note that all subfolders of the folder you protect will also be protected by the same password.

    Note that in cPanel the word Directories is often used, but in this case the term is folders. The two words can be used interchangeably. Techies tend to call them directories, but when you are viewing a directory structure using a Graphical User Interface (GUI), icons are used and the icon for a directory is a picture of a folder.

  5. On the password protection page, click the Password Protect This Directory box, give the directory a name, and then click Save.

    This name appears when someone tries to access the directory and is prompted for a username and password.

  6. Create at least one user for the password-protected directory. Type the username and the password (twice).

  7. Click Add/Modify Authorized User.

    A confirmation screen appears.

  8. Click Go Back and at the bottom of the screen you see the name of the authorized user you just created.

    You can now add additional users if necessary. All users created for each folder have the same level of access.


That directory is now password-protected; anyone who attempts to access it at any time will need to provide the authorized username and password.

There is no default or override password. If you forget the password you created, you need to go back into cPanel and modify it or create a new user.

The password protection does not apply to users connecting via FTP or using the file manager through cPanel. It is only for web users viewing pages within the folders.

cPanel’s password protection is created using an .htaccess file. This file is placed within the folder to be protected. Although web users cannot access this file, it can be overridden by another .htaccess file in the public_html directory. Do you think it sounds insecure?

Don’t worry; the public_html directory .htaccess file may be able to override the password protection, but a hacker cannot change that file unless he already has root access in the file system. When he has root access, the password protection doesn’t apply to him anyway.