Password-Protecting a Web Site

You can password protect areas of your website through the Password Protection tool in your shared hosting account. IT's in IIS/.NET in the mail navigation. It can sometimes take awhile for this page to load. It's scanning all your folders on the server looking to see if a folder have password protection setup. More folder equals the longer it takes to load.

Alternatively, you can easily password-protect your Web site by creating what are called .htaccess files. Please note that our .htaccess files are not the same as the ones used by the Apache Web server and cannot be used to change the Web server settings for your site.

The first thing you have to do is place your password-protected files in a subdirectory within your account via FTP. Then, place the appropriate .htaccess file in that subdirectory. You also need to decide where you want to store your userlistfile, which contains a list of users having access to the files and their passwords. For security sake, you should store this file in your db folder, which is not accessible through the Web.

When you have decided where the .htacess file will go, you must create it using your FTP client and put the following text into it, making sure to replace the path to the userlist file with the correct one:

AuthName groupname
AuthType Basic
AuthUserFile e:/web/public_html/nbvbn/db/userlist.txt
Require valid-user

If you are having problems creating the .htaccess file, it is likely because Windows will not let you create a file whose name begins with a period. In this case, you can create it by typing echo "" > c:\.htaccess in your Run dialog box (click Start, then Run) and then opening the file c:\.htaccess using your text editor.

Once you have done this, you need to create your userlist file, which is extremely straightforward. You simply put one username:password pair on each line of the file. For example:


To increase the security of your userlist, you can download the application htpasswd.exe to create Apache-style crypt passwords. You are strongly advised to do this for your own password protection.

After you have done both of these things, you will be prompted to enter your username and password when you attempt to enter the password-protected area of your site.

Note that if you see an error page that starts with IISPassword The page cannot be displayed, and lists the error HTTP Error 500, then there is something wrong with the .htaccess file - probably something mistyped or it's using a construct that's not valid with our software - this is common when testing software designed to work with Apache since it's .htaccess file has many more options that don't apply to IIS.

Was this answer helpful?

 Print this Article

Also Read

Upgrade Database

Copy data from one database to another It's a very simple process and one that can be done in...

Setting up a permanent 301 redirect via .htaccess

A permanent 301 redirect in your .htaccess file lets search engines and others know that an old...

Using Sendmail

Sendmail is primarily a UNIX mailer daemon used to send e-mail. Many scripts call this program...

I would like to make a Wildcard Subdomain

Wildcard subdomains let URLs like bring up the same Web site. Although...

How to connect with FTP, SFTP or FTPS

Old hostnames like,, or no...