Directory Privacy: Secure folders with a password (htaccess/htpasswd)

Directory Privacy: Protect folders with a password (.htaccess/.htpasswd)

With Directory Privacy in cPanel, you can add an extra layer of password protection to individual folders on your website. Visitors who access this area in their browser will first need to enter a username and password before they can view the content.

This feature is particularly helpful if certain areas of your website should not be publicly accessible. Typical examples include test installations, internal download areas, basic client areas, staging versions, development environments, or administrative helper folders.

Technically, this feature usually works using a combination of .htaccess and .htpasswd. The .htaccess file controls access to the directory, while the .htpasswd file contains the authorized users and their encrypted passwords. cPanel automatically handles the setup of these files through a graphical interface.

What is directory privacy suitable for?

cPanel Directory Privacy is a simple and effective way to protect specific website areas from public access. It is particularly suitable for static or semi-public areas that do not have their own login system.

Suitable use cases include, for example:

• Test versions of a website before publication,
• Staging or development environments,
• Internal download folders,
• Temporary client approvals,
• Simple project areas,
• Non-public documentation areas,
• Protected demo installations,
• Additional protection for administrative helper folders.

Directory privacy is especially practical if you want to secure an area quickly and without programming. However, it does not replace a fully-fledged user, role, or permission system within a web application.

What directory privacy cannot achieve

Password protection at the directory level is useful, but it has clear limitations. It protects against direct access via the browser, but it is not a complete security solution for complex applications.

• It does not replace a secure CMS or shop login.
• It does not protect against access via FTP, SFTP, SSH, or the File Manager.
• It does not replace regular updates to your website software.
• It does not fix security vulnerabilities in plugins, themes, or scripts.
• It does not protect database content independently of the application.
• It is not intended as a standalone security measure for highly sensitive data.

For highly confidential content, you should additionally check whether it needs to be located in the publicly accessible web directory at all. Very sensitive files should, if possible, not be stored in a folder that can be reached directly via the website.

How does the protection work technically?

When a visitor accesses a protected folder in their browser, the web server first requests login credentials. Only when the username and password are correct will the content be delivered. The prompt usually appears as a browser login window.

In the background, two components are normally used for this:

• .htaccess: Contains the instructions stating that the directory is protected and specifying which authentication is used.
• .htpasswd: Contains the authorized users and their associated password hashes.

You do not need to create these files manually. cPanel handles this via the Directory Privacy feature. This reduces errors and is the safest way for most clients.

Step 1: Open Directory Privacy in cPanel

To protect a folder with a password, first open the corresponding feature in cPanel.

1. Log in to your cPanel account.
2. Go to the Files section.
3. Click on Directory Privacy.
4. You will now see a folder structure of your hosting account.

Depending on the cPanel language and theme, the name may vary slightly. The feature is normally located in the file tools section.

Step 2: Choose the right folder

Selecting the correct folder is crucial. If you accidentally protect the wrong folder, another area of your website might suddenly display a password prompt.

• Click on the folder icon to open subfolders.
• Click on the name of the folder you want to protect.
• A lock icon frequently indicates that a directory is already protected.

For example, if you protect the folder public_html/test, the protection will affect this test folder and normally also the subfolders beneath it. Conversely, if you protect public_html itself, your entire main website may only be accessible after entering login credentials.

Step 3: Activate password protection

After selecting the desired folder, you activate the actual protection.

1. Click Edit next to the desired folder or select the folder name.
2. Check the box Password protect this directory.
3. Enter a clear, comprehensible name in the Name for the protected directory field.
4. Click Save.

This name will be displayed to visitors in the login window or authentication dialog. Therefore, use a neutral and clear name such as Internal Area, Client Area, or Testing Environment.

Avoid names that reveal unnecessary technical information, such as exact project names, internal system notes, or hints about highly sensitive content.

Step 4: Create users for the protected folder

Once protection is activated, you need at least one authorized user. Without a user, no one can enter the protected area.

Pay attention to the following points regarding usernames and passwords:

• Do not use easily guessable usernames like admin or test.
• Use long, random passwords.
• Use unique login credentials for each user.
• Do not share passwords unencrypted via email.
• Delete users when access is no longer required.

If multiple people need access, it is better to create a separate user for each person. This allows you to specifically remove individual access permissions later without having to change the password for everyone.

Inheritance: Subfolders are automatically protected

This inheritance is desirable in many cases. However, it can also come as a surprise if a protected folder contains files that are actually meant to be embedded publicly. Therefore, check whether images, CSS files, JavaScript files, or downloads are required within the protected area.

If a public website suddenly appears without images or formatting, it could be because CSS, JS, or image files are located in a protected directory and the browser is not allowed to load them without logging in.

Typical Application Examples

1. Protect a test website from search engines and visitors

If you are preparing a new website in a subfolder like public_html/test, you can protect this folder with a password. This allows clients, developers, or internal employees to review the website while keeping it inaccessible to normal visitors.

2. Securing a download folder

A folder containing private documents, PDFs, or project files can be additionally protected. Note, however: for highly confidential documents, simple directory privacy is not always sufficient. In such cases, it should be evaluated whether a professional client portal or another secure transfer method is better suited.

3. Additional protection for administrative helper areas

Directory privacy can serve as an extra hurdle for certain administrative areas. However, it does not replace the actual login system of your application and should not be used as the sole protection for outdated or insecure software.

Manage users, change passwords, or delete users

In the Directory Privacy feature, you can see the authorized users for the selected folder. There, you can remove users or update passwords.

Typical management tasks include:

• Creating a new user for an additional person,
• Changing the password of an existing user,
• Removing a user who no longer requires access,
• Deactivating access after project completion,
• Deleting users following a change in personnel.

If a password has been compromised or is known to too many people, you should change it immediately. It is even better to use separate user accounts so that you can deactivate individual access permissions in a targeted manner.

Remove password protection completely

If the protected area should be publicly accessible again, you can deactivate directory privacy.

1. Open Directory Privacy in cPanel.
2. Select the protected folder.
3. Uncheck the box next to Password protect this directory.
4. Save the change.

Depending on the browser, it may be useful to perform the test in a private window or a different browser, as the browser might cache saved login credentials.

Troubleshooting: Common problems and solutions

User cannot be created: Check permissions

If saving a user fails, it may be due to permissions or existing protection files. cPanel must be able to create or modify the necessary files for directory privacy.

Check in the File Manager whether the affected folder has sensible permissions. Permissions like 0755 are commonly standard for directories. In certain cases, more restrictive permissions may be required. However, do not generalizedly set permissions to 0777, as this can pose a security risk.

Directory Privacy and WordPress

For WordPress websites, directory privacy can be helpful but should be used with caution. WordPress uses its own routing rules and its own .htaccess file. Additional protection rules can affect the website depending on the folder structure.

Suitable examples:

• Password protection for a staging installation in a subfolder,
• Protection of a separate download folder,
• Temporary protection of a new website before publication.

It is less suitable to protect central WordPress folders such as wp-admin, wp-content, or wp-includes without careful consideration. Doing so can disrupt functions, assets, or AJAX requests. If additional protection for WordPress logins is desired, the specific configuration should be carefully reviewed.

Best Practices for Secure Directory Privacy

• Protect only the folders that really need to be private.
• Use strong, unique passwords.
• Create separate users for different people.
• Delete users when access is no longer required.
• Do not store highly sensitive data permanently in the public web area.
• Test protected areas in a private browser window.
• After activation, check whether images, CSS, and JavaScript load correctly.
• Do not edit .htaccess and .htpasswd files manually without a backup.
• Use HTTPS so that login credentials are not transmitted unencrypted.

FAQ on cPanel Directory Privacy

Does directory privacy also protect against FTP access?

No. Directory privacy only applies to access via the web browser using HTTP or HTTPS. FTP, SFTP, SSH, and the cPanel File Manager are not affected by it.

Are subfolders automatically protected?

Yes, as a rule, the protection also applies to subfolders of the protected directory. This may be desired, but should be taken into account for images, CSS, or JavaScript files.

Can I create multiple users for a protected folder?

Yes. You can create multiple authorized users. This makes sense if different people need access and you want to remove individual access permissions separately later.

Why does the browser keep asking for the password?

Possible causes include incorrect login credentials, cached old passwords, a faulty configuration, or resources being loaded from additional protected areas. Test access in a private browser window.

Can I use this to protect my WordPress website?

Yes, for example, a test installation or a staging folder. However, central WordPress folders should not be protected without careful consideration, as this can affect website functionality.

Is directory privacy secure enough for confidential documents?

It is useful for basic protected areas. For highly confidential or personal data, however, careful consideration should be given to whether a professional client portal, a secure transfer method, or another solution is better suited.