Be careful when editing and saving an “.htaccess” file on your site, it is very fickle and one small misspelling will throw a “Server 500 Error” which is never pleasant. You may be apprehensive to go online and use an “.htaccess password generator”, so here’s a way to make your server secure without going on a website that records your IP address and the username and password unencrypted. Doesn’t sound very safe. Though there is a tool available on this site to do just that, I can assure you we don’t record any input here, but that doesn’t mean someone else isn’t snooping during your session online, though.

So here’s a simple PHP snippet to generate the proper password. It is highly recommended that the “.htpasswd” file containing the username and password are stored OUTSIDE of your web root folder in a folder above so normal public visits and crawlers are more apt to have difficulty infiltrating and finding the proper file.

< ?php
// Password to be encrypted for a .htpasswd file
$straight_pwd= 'my password';

// Encrypt
$password = crypt($straight_pwd, base64_encode($straight_pwd));

echo $password;

?>

To set up any folder or your entire site with a log-in provides many benefits, one major benefit is that it locks down any development environment from outside snooping and search engine crawling. It also adds another level of security for sensitive areas of your website. So, each folder can have a different log-in, or the log-in requirement can be removed by customizing .htaccess wherever you need this unique security.

AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /path/to/.htpasswd
Require valid-user

By the way, you don’t have to use the file name “.htpasswd”, as a matter of fact, you should use something that isn’t so common or obvious to help obfuscate where you are actually hiding the passwords to begin with. Also, don’t forget to include the settings in your .htaccess file to protect snoopers from being able to view your .htaccess file if this isn’t activated or default on your web host.

Usually in code the pipe, “|” stands for “”or”.

#Deny access to all files ending with .htaccess,.custom-private or .config

Order allow,deny

Here is some more .htaccess fun.  I’ve seen these snippets around different websites for years and use this as a template and customize it to my needs.  It’s a good template because it lays out simple to understand functions within your .htaccess.  Password protecting areas but still allowing your developers access is a great way to run a parallel environment on the exact server under the exact conditions it will actually be running in, this technique can provide developers faster feedback without disturbing the live site (unless of course some of their code bogs your server down, which can still happen.)

# password protection allowing multiple resources
AuthType Basic
AuthName “Restricted Area”
AuthUserFile /home/path/.htpasswd
AuthGroupFile /dev/null
Require valid-user
# allow public access to the following resources
SetEnvIf Request_URI “(path/to/directory1/)$” allow
SetEnvIf Request_URI “(path/to/directory2/)$” allow
SetEnvIf Request_URI “(path/to/file\.php)$” allow
SetEnvIf Request_URI “(path/to/file\.html)$” allow
SetEnvIf Request_URI “(path/to-another/resource/)$” allow
SetEnvIf Request_URI “(path/to-yet/another/resource/)$” allow
Order allow,deny
Allow from env=allow

# allow open access to entire site for select ips and sites
Allow from 777.777.77.7
Allow from 888.888.88.8
Allow from 999.999.99.9
Allow from domains.tld
Allow from website.tld
Allow from example.tld
Satisfy any

.htaccess files give you the flexibility of controlling access and certain functions on the server level and once you save your .htaccess and things run as expected, there’s seldom any surprises if you maintain the same patterns for further customization and they are very reliable.  .htaccess files are powerful, but with a single rogue character, you can bring your entire site down, so be very cautious updating and editing .htaccess — always use some kind of version control for quick restores!

Your Apache server usually comes with limits on file sizes you can upload. The default upload file size is usually only 2MBs, usually not even the average size of a jpg iamge these days.  You will need to set the following 3 configuration options:

1. “memory_limit” – The maximum amount of memory that a script is allowed to allocate.  Basically, this prevents scripts from using up all available memory on a server
2. “upload_max_filesize” – maximum size of a file
3. “post_max_size” – Max size of form post data.

Usually, “memory_limit” needs to be greater than “post_max_size”.  You will usually be able to edit settings in your .htaccess files.  WordPress comes with an .htaccess file located in the root of the WordPress installation.

Add following code to your.htaccess file after the “#End WordPress” comment, if it exists.  If you update your .htaccess file inbetween the “#Begin WordPress” and “#End WordPress” comments, the next time you update almost anything in WordPress you will end up losing these customizations because anything between these two comment lines are considered proprietary by WordPress and will be overwritten!   Keep this in mind, it’s a pitfall for those web developers new to WordPress!

Here are some basic settings to help you get started, you can adjust the values below to accommodate your needs.  For some servers and hosts, you may not have access to the .htaccess file, you could still accomplish adjusting these settings perhaps in the “php.ini” or other configuration file from your host’s cpanel, but there are no guarantees.  Often, hosts limit your values so whatever you enter they will take them to your allotted maximum but you will never be able to exceed them, without asking them to accommodate.  After all, they have to limit the “unlimited bandwidth and storage” claims they make somehow.

php_value post_max_size                           64M

php_value upload_max_filesize               48M

php_value memory_limit                            256M