A .htpasswd file typically creates and updates stored usernames and passwords for HTTP users using HTTP authentication. You must create a .htpasswd file to secure the website’s content, whether the primary URL or some subdirectory. Only authorized users will be able to access the website’s source. The username and password in the file are inline, separated by a colon. The username is stored in plain text, and the password is hashed, usually with MD5 encryption.
The .htpasswd is in the .htaccess file in the website’s document root. The .htaccess file is a configuration file used by Apache-based web servers. Many possibilities exist with the .htaccess file, and one of them is including the .htpasswd file.
In this post, we will use already installed WordPress with the LAMP stack on Ubuntu 24.04 OS to configure HTTP authentication with the .htpasswd file. Creating and configuring it is straightforward and may take around 5 minutes. Let’s get started!
Table of Contents
Prerequisites
- A server with Ubuntu 24.04 as OS
- WordPress installation with a LAMP stack
- User privileges: root or non-root user with sudo privileges
Update the System
Before we start any action on the server, we will update the system packages to their latest versions available:
sudo apt update -y && sudo apt upgrade -y
Create .htpasswd file
To create the file, you can use the .htpasswd command, which is available after the Apache web server installation. Since we mentioned that in this tutorial, we will use WordPress with the LAMP stack, the command is available on our server.
The syntax of the command is the following:
htpasswd -c "website_document_root"/.htpasswd "username"
To create a .htpasswd file with username “rhtest” into the document root “/var/www/html” execute the command below:
htpasswd -c /var/www/html/.htpasswd rhtest
You will be asked to type the password twice, and once you set that, you should get the following output:
root@host:/var/www/html# htpasswd -c /var/www/html/.htpasswd rhtest New password: Re-type new password: Adding password for user rhtest
To check the content of the “.htpasswd” file, execute the following command:
cat /var/www/html/.htpasswd
You will receive output similar to this:
rhtest:$apr1$rDodiIIG$p6Q1GpNmJsgW88nIa.nA6/
As you can see, the username is “rhtest”, and the password is hashed. The last thing of this process is to set the correct permissions to the .htpasswd file:
chmod 644 .htpasswd
Import the .htpasswd File
The next step is to import the file into the .htaccess file of your WordPress. To do that, open the .htaccess file with your favorite editor and paste the following lines of code at the bottom of the file:
#Whole Document root (our document root is /var/www/html) AuthName "Dialog prompt" AuthType Basic AuthUserFile /var/www/html/.htpasswd Require valid-user
Save the file, close it, and restart the Apache2 web server.
These lines of code secured the whole website directories and subdirectories.
For example, if you want to secure only one specific file, let’s say wp-login.php, instead of the previous line, you can add this:
#Single file AuthName "Dialog prompt" AuthType Basic AuthUserFile /var/www/html/.htpasswd Require valid-user
To protect multiple files, you can use the following lines of code:
#Multiple files AuthName "Dialog prompt" AuthType Basic AuthUserFile /var/www/html/.htpasswd Require valid-user
To protect a subdirectory in WordPress, copy the .htpasswd file into that subdirectory or create a symbolic link. The lines of code for protecting the “wp-admin” subdirectory would be:
#Protect Directory AuthName "Dialog prompt" AuthType Basic AuthUserFile /var/www/html/wp-admin/.htpasswd Require valid-user
More about htpasswd command
If you want to know in more detail about the “htpasswd” command, you can execute the command below:
man htpasswd
You should get the following output:
HTPASSWD(1) htpasswd HTPASSWD(1)
NAME
htpasswd - Manage user files for basic authentication
SYNOPSIS
htpasswd [ -c ] [ -i ] [ -m | -B | -d | -s | -p ] [ -C cost ] [ -D ] [ -v ] passwdfile username
htpasswd -b [ -c ] [ -m | -B | -d | -s | -p ] [ -C cost ] [ -D ] [ -v ] passwdfile username password
htpasswd -n [ -i ] [ -m | -B | -d | -s | -p ] [ -C cost ] username
htpasswd -nb [ -m | -B | -d | -s | -p ] [ -C cost ] username password
SUMMARY
htpasswd is used to create and update the flat-files used to store usernames and password for basic authentication of HTTP users. If htpasswd cannot access
a file, such as not being able to write to the output file or not being able to read the file in order to update it, it returns an error status and makes no
changes.
Resources available from the Apache HTTP server can be restricted to just the users listed in the files created by htpasswd. This program can only manage
usernames and passwords stored in a flat-file. It can encrypt and display password information for use in other types of data stores, though. To use a DBM
database see dbmmanage or htdbm.
htpasswd encrypts passwords using either bcrypt, a version of MD5 modified for Apache, SHA1, or the system's crypt() routine. Files managed by htpasswd may
contain a mixture of different encoding types of passwords; some user records may have bcrypt or MD5-encrypted passwords while others in the same file may
have passwords encrypted with crypt().
This manual page only lists the command line arguments. For details of the directives necessary to configure user authentication in httpd see the Apache
manual, which is part of the Apache distribution or can be found at http://httpd.apache.org/.
OPTIONS
-b Use batch mode; i.e., get the password from the command line rather than prompting for it. This option should be used with extreme care, since the
password is clearly visible on the command line. For script use see the -i option. Available in 2.4.4 and later.
-i Read the password from stdin without verification (for script usage).
-c Create the passwdfile. If passwdfile already exists, it is rewritten and truncated. This option cannot be combined with the -n option.
-n Display the results on standard output rather than updating a file. This is useful for generating password records acceptable to Apache for inclusion
in non-text data stores. This option changes the syntax of the command line, since the passwdfile argument (usually the first one) is omitted. It
cannot be combined with the -c option.
-m Use MD5 encryption for passwords. This is the default (since version 2.2.18).
That’s it. You successfully created and configured the .htpasswd file on Ubuntu 24.04. Of course, you do not have to do this on your own. If you have difficulties with securing your website via HTTP authentication you only need to sign up for one of our NVMe Linux VPS plans and submit a support ticket. Our admins will help you with any aspect of securing your website. Feel free to contact us. We are available 24/7.
PS. If you liked this post about creating and using the .htpasswd file, please share it with your friends on social networks or simply leave a comment in the comments section. Thank you.