Guides

.htaccess and .htpasswd hidden files

What are they for and how to modify them

The .htaccess and .htpasswd files are two text files typical of the Linux operating system(Apache web server) but also present on Windows servers, whose function is to provide configuration directives for the web server.
Normally, for security reasons, they are not visible (they are hidden files) and their display must be enabled. For example, if you try to access these files using an FTP client (e.g. FileZilla), to see them you must enable the FTP client to display hidden files.

How to create or edit .htaccess and .htpasswd

o create and edit the .htaccess and .htpasswd files, simply use any text editor (e.g. gedit on Linux, notepad on Windows), enter the code and save the document.

IMPORTANT The names of these files must be written without an extension and with a dot as the first character of the name. Therefore, make sure to check (e.g. using the folder and file explorer) that the name saved with the text editor is exactly .htaccess or .htpasswd, as some editors automatically add the extension .txt to the file name.

It may happen that Windows users cannot see the extensions of their files when viewing them from the file and folder explorer: in this case, you must enable it by ticking the estensioni nomi file box displayed when you click on the Visualizza button (see image below)

esempio per utenti windows

Examples of use

Here are some tips for using the .htaccess and .htpasswd files.

  • For a website to be accessed automatically using a predefined page (in the example, miahome.php), the following line must be inserted in the .htaccess file: 

    DirectoryIndex miahome.php

  • To authorise access to the website folders for authorised users only, both .htaccess and .htpasswd file​s must be created instead. The .htaccess file must be placed in the folder to be protected and must contain the following directives:
    • AuthType Basic
    • AuthUserFile /percorso-htpasswd/.htpasswd
    • Require valid-user

    Note that the 'AuthUserFile' directive must specify the folder where the .htpasswd file is located. In addition, the .htpasswd file must contain paired user and encrypted password in the following format username:password-crypt, for example

    pippo:fUOVQMStRIgoE
topolino:RvWrHrHzrBNxI

    The password encryption must of course be carried out before the .htpasswd file is created.

    The Linux, operating system, the .htpasswd file can be generated using the htpasswd command command of the Apache package; alternatively, specific online tools can be used.

    Attention If using the Basic authentication type (AuthType Basic),the HTTPS protocol is highly recommended, otherwise the password will be transferred unencrypted from the browser to the server.