Your cart is empty

Password protection via .htaccess

These instructions explain how you can lock a directory on an Apache web server and only release it for certain users via password protection. This can be useful in several cases:

  • You can protect your entire website from being accessed by search engine bots in order to prevent indexing. You should do this while you are creating a new website online or while making major changes to a website.
  • Such password protection is also recommended as permanent upstream protection for the Joomla administrator directory (backend). This makes it much more difficult for potential attackers to hack a website. If the access data is entered incorrectly, the server blocks the display of the login mask of the Joomla backend.
  • But you can also just protect directories that contain data that not everyone should access. This can be, for example, download directories or directories with sensitive data.


Setting up password protection

Two files are required for setup: .htpasswd und .htaccess

1. A period must be placed in front of the file name and the files must not have a file extension!
2. Since these files influence the server configuration, their use is not necessarily permitted. It is best to ask your hoster whether you can use these files! 

While the .htaccess is placed in the directory to be protected and takes on the actual task of password protection, the .htpasswd contains a list of the possible users who are allowed to access the directory. The .htaccess must contain the path to .htpasswd.

The best way to create and edit the two files is to use a text editor such as Notepad++ , PSPad or similar.

Creation of the .htpasswd

All user and password data are stored in the .htpasswd. Each line has 1 user and his password in encrypted form. Several users can be created. Do the following:

  • First create the .htpasswd!
  • The use of an online generator is recommended to generate the encrypted data. For example:
    Online generator
    Select "md5" as the encryption method!
    Never use the same access data as those for the Joomla backend!
  • Enter the generated user and password data in .htpasswd (1 line per user)!
  • The .htpasswd must now be uploaded to the web server!

In contrast to .htaccess, .htpasswd with the access data should not be placed in the directory to be protected or in one of its subdirectories for security reasons!

Creation of the .htaccess

The actual task of password protection is taken over by .htaccess. It not only protects the directory in which it is located, but also its subdirectories. Do the following:

  • Create the .htaccess!
    Note: If you want to protect the entire Joomla website, you may not need to create it! Because mostly a .htaccess already exists in the Joomla root. In this case you just have to add it by entering the following code at the top!
  • Next, enter the following code in the created or already existing .htaccess:
    AuthType Basic
    AuthName "Password-protected area"
    AuthUserFile /path/to/file/.htpasswd
    Require valid-user

    Important: The absolute path to .htpasswd must be specified in the code so that the user data can also be found. Otherwise access to the website or the directory is no longer possible. Most errors are made when specifying the path.
  • The .htaccess must now be uploaded to the directory to be protected, if it does not already exist!

When you call up your website or the directory in the browser, the query on the part of the web server for a user name and password appears. If you enter this access data correctly, the website is displayed or access to the directory is permitted. If the login details are incorrect, the query appears again..

Please note!
It makes a difference whether you access a website or directory via http or https. For example, if you call up your secure backend via http, the query will appear first. The server then forwards from http to https and the query appears again. After entering the correct information again, the login mask for the backend is displayed.
If, on the other hand, you call the backend directly via https, the query only appears once..


Deactivation / removal of password protection


Temporary deactivation

If you would like to temporarily remove the password protection, you only need to rename the .htaccess to htaccess.txt. However, if you have added the necessary lines to an existing .htaccess in the Joomla root, you must not rename the .htaccess, otherwise the other instructions can no longer be processed by the server. In this case, simply put the lines added for password protection as a comment by putting a # at the beginning of each line!!

Permanent removal of password protection

To completely remove the protection, simply delete the generated files .htaccess and .htpasswd from the server. However, if you only added the required lines to an existing .htaccess, then simply delete the added lines from the file. In this case you must not delete the .htaccess, otherwise the other instructions can no longer be processed by the server.


All prices quoted in Euro include the statutory German VAT of currently 19%. The final price can change after entering the billing information, for example if the order is placed as a company. The prices refer to the creation of the Quickstart packages.

Joomla! Trademark is not affiliated with or endorsed by The Joomla! Project™. Use of the Joomla!® name, symbol, logo and related trademarks is permitted under a limited license granted by Open Source Matters, Inc.

Joomla Logo