Skip to main content

Knowledge base

Using the .htaccess to Restrict Access on an Apache Web Server

For an Apache web server, website access restriction is written into the .htaccess file, which is found in the root directory of the website. It can also be created individually for each directory.

The .htaccess file is a text file containing a set of directives for the Web server that apply to the directory and all of its subfolders. If any subfolder has its own .htaccess file, then that subfolder and all of its subdirectories are subject to the directives of the local file rather than that of the root directory.

The .htaccess file contains additional web server configurations. For example, access settings, redirects, special pages, etc. Access to website directories can be restricted in several ways:

Restricting by IP

Restricting by IP denies website directory access for the specified IP address. To do this, append the following directives in your .htaccess file.

order allow, deny

This directive determines the order of the blocking rules. In this case - the directive first allows, then denies access. This must be present at the beginning of the block of restrictions.

deny from

The directive denies access from the IP address Use this format if you need to have all access requests from the indicated IP address denied. It will apply to all web pages in the current directory, as well as the subfolders (if they do not have customization).

deny from 3a04:250::6f0a:8f06:a4e1:7e10

This directive works similarly to the previous directive; here, the IP address is in the ipv6 format.

deny from 10.5

This directive denies access from all IP addresses beginning with 10.5, i.e. from an address subnet.

deny from

This performs a block of the IP address subnet within the specified range. The HostnameLookups option works in this format.

deny from

Blocks connections coming from

allow from all

This directive allows access for all website requests.

You can combine the above directives into a single unit, depending on what you want to deny/allow.

For example, block

order allow, deny

deny from 3a04:250::6f0a:8f06:a4e1:7e10

allow from all

means that all allow-lines will execute first, followed by the deny-lines. Access will be allowed for all requests, except for those coming from the IP address 3a04:250::6f0a:8f06:a4e1:7e10.

Restricting by Password

To use the directives described below, enable the Apache web server auth_basic, authn_file modules.

To do this, append the following directives in your .htaccess file.

AuthType Basic

AuthName "Password required to access"

AuthUserFile /path/to/.htpasswd

htpasswd is the utility for password generation found in the /bin directory of web server. Use this to create a file with a password by running the command

htpasswd -bcm /path/to/.htpasswd username userpassword

“b” indicates that the password is specified on the command line, “c” indicates the need to create a new file, and “m” indicates the type of encryption - MD5. “.htpasswd” is the name of the file created, “username” is the name of the user for whom the password is generated, with “userpassword” standing for the password of the user.

As a result, an .htpasswd file will be created with the content:


To add a user to the existing .htpasswd file, run the command

htpasswd -bm /path/to/.htpasswd username1 userpassword1

To remove a user from .htpasswd, run the command:

htpasswd -D /path/to/.htpasswd username1

For more information on all possible keys, please reference the following:


htpasswd [-cmdpsD] passwordfile username

htpasswd -b[cmdpsD] passwordfile username password

htpasswd -n[mdps] username

htpasswd -nb[mdps] usernaine password

-с                   Create new file.

-і                    Not update file, display the result on the screen.

-m                 Encrypt password using [[MD5]].

-d                   Encrypt password using [[CRYPT]] (default).

-р                   Do not encrypt password (plain text).

-s                   Encrypt password using [[SHA]].

-b                   Specify the password in the command line parameter.

-D                  Remove the specified user.

On [[Windows]], [[NetWare]] and [[TPF]] systems ‘-m’ flag is used by default.

On all other systems ‘-р’ flag can be non-operational.
Return to category