How to password protect a single file with htaccess

The .htaccess file is a powerful tool where many behind the scene things are handled. In addition to things such as forcing a specific url formatting, it can also help with access to certain pages. Many sites have members only areas of their websites. These are either coded to check against a database with languages such as php, or grouped together into a single subfolder that is password protected via the cPanel.

There are times, however, when you may only want to password protect a single page that is in an otherwise public folder. Perhaps the program you built your site with does not create subfolders, such as the Premium Website Builder, and moving a file to a protected area would break the links on the site. This is where the htaccess file can help. Follow the instructions below as we guide you through password protecting a single file via your htaccess file.

Password protecting a single file on your website:

  1. First we want to create a username and an encoded password that we will use for the login. This is not done directly in the cpanel, but from a site on the web that can encode the word you want to use as your password. There are many sites that have scripts to do this.
  2. From the site link, copy and paste the code it gives you to a text editor as you will need it later. For reference, the format of the code it gives you is username:encoded_password.
  3. Next, you want to log into your cPanel.
  4. Find the Files category and click on the File Manager icon.

  5. You are now in the home directory of the hosting account. The home directory is not accessible from the web via a URL, so it is more secure. We want to create a password file here that will be used to check access for users trying to get to the file we are going to protect. You will want to create a new text file. To do so, find the New File icon from the top menu bar and click it.

  6. A popup will appear, asking to name the file. Here we named it .htpassword (Note that the filename begins with a period. This is intentional as it makes the file hidden.) Below that is a field to enter a path to store the file. Leave it blank so it will default to the root folder. Click on Create New File to continue.

  7. From here, click on the Settings button in the upper right corner.

  8. Click on the Show Hidden Files checkbox and then click Save.

  9. The new file is now in your account. In the right hand pane, scroll down until you find the file, then right click on it. Click on the Edit option from the menu that appears. A popup will appear, simply click on the Edit button in the lower right to continue.

  10. We are now in the editor. Cut and paste the username and password code you were given before. Keep the code as a single line and do not edit it. Click on the Save Changes button to save the file.

  11. Now, we want to move to the root folder for your domain and alter the .htaccess file so that visitors are challenged with the login prompt. If you are working with the primary domain, double click on the public_html folder to enter. For addon domains, double click on the public_html folder and then find the subfolder that is the root for the domain and double click that one to enter its root. For our example, we are using the primary domain. Locate the .htaccess file and right click it as you did before with your password file. This also brings up a menu. Find and click on the Edit option. If you get a popup box, simply find and click the Edit button in the lower right corner to continue to the editor.
  12. You are now in the text editor for the .htaccess file. Place the following code into your htaccess so that it prompts the visitor for a login.
    AuthUserFile /home/user/.htpassword
    AuthName “name of login prompt”
    AuthType basic
    <files pagename>
    require valid-user

    The pagename should be the exact page in that directory, not an absolute path.
    For example: /home/user/public_html/wp-login.php would just have wp-login.php in the .htaccess file in that directory.

  13. Before you save it, there are a few items to change. First, change ‘/path/to/htpasswd/file/.htpassword‘ to the actual path to your .htpassword file. For example, your path would look like /home/username/.htpassword (be sure to replace ‘username’ with your real cpanel username.)
  14. Second, change the AuthName to something meanignful. This is the title of the login prompt.
  15. Third, the file name needs to reflect the name of the page you are protecting. Change ‘mypage.html‘ to the actual file name.

  16. Click on the Save Changes button at the top to save the file.
  17. Visit the page on your site to ensure that it is asking for the login. Once you log in, the site will likely not ask again when you return as the browser remembers your previous visit.

12 thoughts on “How to password protect a single file with htaccess

  1. It doesn’t work for protecting a ZIP file from downloading it. I tried almost everything to make it work to no avail! …
    It does work for blocking access to a .php file or similar page files but that’s about it …

    1. Hello Nikos – thanks for pointing this out. This has to do with how the file is being accessed since the browser treats the zip differently from a file that it can read like a PHP file. Probably the easiest thing to do would be to change the permissions of the file. If you change it to 640, then the owner of the file can still access it and it won’t be accessible by the public. Another thing you can do is to put any zip file that you want to restrict access into a directory and then password-protect that directory ( Those would be the simplest solutions to this problem.

  2. Hi I was trying to create a password protected html file and followed the steps laid out above. However, I keep getting a Error 500-Internal Server Error message when I try visiting that page. I am not sure what I am doing wrong. There are some existing rules but will changing that cause any problems to the entire site?

    1. Hello, Helen! Are you trying to set this up on a WordPress site by any chance? WordPress sites require a great deal of default data in the .htaccess file. On top of that, many plugins will add custom data to the .htaccess file as well. Depending on what file you tried to set to private, you may be disrupting WordPress’s loading process (or simply have affected something else in the .htaccess file). The instructions provided in this article are usually used with a simpler (or custom) site design rather than a generated site like WordPress. If you aren’t using a WordPress site, please double check the file path and make sure it isn’t accidentally going to a different directory/level than originally intended. Hope that helps!

  3. FYI, the link in this article to is not secure, and when I accept the insecure link the page says “Not found.” Please update the post to a helpful website. Thanks.

  4. I had similar “it didn’t work” experiences.  Turns out that my webhost has a much deeper path to the .htpasswd file.  When I obtained their full absolute path, it worked.

    For, example, instead of the path as I saw it starting at my webroot:

    AuthUserFile /security/.htpasswd

    I needed to put the path from the root of the host web server:

    AuthUserFile /home/content/xx/yyzz/html/security/.htpasswd

    Once I made that change, it worked fine.
  5. I did same thing step by step, and got this:
    Internal Server Error
    The server encountered an internal error or misconfiguration and was unable to complete your request.
    Please contact the server administrator at [email protected] to inform them of the time this error occurred, and the actions you performed just before this error.
    More information about this error may be available in the server error log.
    Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.

    1. Check any other existing rules, as they may be interfering with this one. It may be helpful to comment them out one-by-one.

      Thank you,

    1. Hello Ahmed,

      Can you post what you put in your .htaccess file so we can make sure you have all of the required information? You can modify anything that is considered sensitive such as your cPanel username.

      Best Regards,
      TJ Edens

Was this article helpful? Let us know!