Pacific Blue Software Logo

Protect directories with XAMPP or Apache using .htaccess

How to Protect directories with XAMPP / Apache using .htaccess

I use XAMPP for windows (Apache, MySQL and PHP) on my dev machine. Recently I made htdocs public. This runs the dashboard by default. Obviously, this is a big security hole. Here is a guide on how to fix this. My path to XAMPP's htdocs is F:\xampps. I am going to use $X to represent this. You need to substitute your path.


Stop dashboard from running

In the directory $X\htdocs is index.php which invokes dashboard using the PHP header command. Replace this to whatever you would like to display. On my PC, I am displaying a list of all the websites that I am working on. You may chose to leave it as is, so that it still runs dashboard.


Protect dashboard with a password

I am protecting the $X\htdocs\dashboard directory. But you can protect any directory. There are two parts to this :

  1. Create the password file

    The first task is to find a program that will do the work for you. This is htpasswd.exe and here are the steps :

    • run cmd.exe. You can do this using WIN+R and typing in cmd.exe
    • type in F: or your drive letter to switch drives
    • type in cd $X\apache\bin
    • type in htpasswd.exe -c -b .htpasswd user password
    • to add another user, type in htpasswd.exe -b .htpasswd user2 password2

    .htpasswd is the name of the new password file. In this example it will create it in the bin directory. It should not be under htdocs. You can put in whatever directory and file name you like.

    -c creates a new file.

    -b accepts the password from the command line. If you omit it, you will be asked twice to enter the password to confirm.

    user is whatever username you want. It is best to not use admin.

    password is whatever password you want. It is best to make this complex.

    I did not need to restart Apache for this to work. You may need to restart for this to take effect.

  2. Protecting the directory

    The second task is to protect the directory. I am protecting the $X/htdocs/dashboard directory. But you can protect any directory. This is achieved by creating a file .htaccess in that directory.

    • start the windows explorer.
    • navigate to $X\dashboard directory.
    • if .htaccess is missing then create a new text file.
    • copy and add/paste the following in this file
        AuthName "Protected $X\apache\htdocs\dashboard"
        AuthType Basic
        AuthUserFile $X\apache\bin\.htpasswd
        Require valid-user
    • rename this file to .htaccess

    Forward slashes work for me. On your system, they may need to be backslashes.

    AuthUserFile should be the location of the password file you just created. I am using an absolute path, it could be relative.

    AuthName is quoted and contains the protected directory name. I have shown it as an absolute path. Just dashboard works for me.


Multiple Users

If you have multiple users in the password files, then any of those users can gain access using their own passwords.


Ways to Protect directories with XAMPP / Apache using .htaccess

Back to Articles
Stop Spam on your Contact Form

If you found this useful, then please consider making a donation.

paypal
QR Code for donation Please donate if helpful