Create proper password for .htaccess log-in in “.htpasswd” file

Be careful when editing and saving an “.htaccess” file on your site, it is very fickle and one small misspelling will throw a “Server 500 Error” which is never pleasant. You may be apprehensive to go online and use an “.htaccess password generator”, so here’s a way to make your server secure without going on a website that records your IP address and the username and password unencrypted. Doesn’t sound very safe. Though there is a tool available on this site to do just that, I can assure you we don’t record any input here, but that doesn’t mean someone else isn’t snooping during your session online, though.

So here’s a simple PHP snippet to generate the proper password. It is highly recommended that the “.htpasswd” file containing the username and password are stored OUTSIDE of your web root folder in a folder above so normal public visits and crawlers are more apt to have difficulty infiltrating and finding the proper file.

< ?php
// Password to be encrypted for a .htpasswd file
$straight_pwd= 'my password';

// Encrypt
$password = crypt($straight_pwd, base64_encode($straight_pwd));

echo $password;


To set up any folder or your entire site with a log-in provides many benefits, one major benefit is that it locks down any development environment from outside snooping and search engine crawling. It also adds another level of security for sensitive areas of your website. So, each folder can have a different log-in, or the log-in requirement can be removed by customizing .htaccess wherever you need this unique security.

AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /path/to/.htpasswd
Require valid-user

By the way, you don’t have to use the file name “.htpasswd”, as a matter of fact, you should use something that isn’t so common or obvious to help obfuscate where you are actually hiding the passwords to begin with. Also, don’t forget to include the settings in your .htaccess file to protect snoopers from being able to view your .htaccess file if this isn’t activated or default on your web host.

Usually in code the pipe, “|” stands for “”or”.

#Deny access to all files ending with .htaccess,.custom-private or .config

Order allow,deny

About Author:

Senior Cloud Software Engineer and 25+ years experienced video production, video editing and 3D animation services for a variety of global clients including local video production here in Jacksonville, Florida.

Leave a Comment

Your email address will not be published. Required fields are marked *