Exposing staging environments, admin panels, or internal tools without authentication is a silent risk that bites when you least expect it. Apache’s htpasswd gives you a quick, effective layer of access control without needing a full auth system.
Why htpasswd?
For directories that don’t warrant a full login system — staging sites, phpMyAdmin, internal dashboards — htpasswd is perfect. It’s built into Apache, requires no database, and takes less than five minutes to set up.
Step 1 — Create the Password File
# Install apache2-utils if not present
sudo apt install apache2-utils
# Create password file and add a user
sudo htpasswd -c /etc/apache2/.htpasswd smjrifle
# Add additional users (omit -c flag)
sudo htpasswd /etc/apache2/.htpasswd anotheruser
Step 2 — Configure the Directory
Edit your virtual host config or the directory’s .htaccess file:
<Directory /var/www/html/protected>
AuthType Basic
AuthName "Restricted Area — Authorised Access Only"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Directory>
Or in .htaccess:
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
Step 3 — Enable mod_auth_basic and Reload
sudo a2enmod auth_basic
sudo systemctl reload apache2
Hardening Tips
- Store the
.htpasswdfile outside the web root — never inside/var/www/html - Use HTTPS. Basic auth over HTTP sends credentials in near-plaintext (base64 encoded)
- Combine with IP allowlisting for sensitive areas:
Require ip 203.0.113.0/24 - Rotate passwords regularly and remove stale users
Simple security measures applied consistently beat complex solutions applied inconsistently. #HackLife