Technical guide for Hovixa users on implementing HTTP Basic Authentication (Basic Auth) to password-protect directories via cPanel and .htpasswd.

Directory Privacy: Basic Auth Configuration (.htpasswd)

Directory Privacy (HTTP Basic Authentication) provides a server-level security layer that challenges users for a username and password before any content is served by Apache. This is independent of your website's software (like WordPress or Laravel) and is managed via .htpasswd and .htaccess files. It is the most efficient way to secure staging sites, admin folders, or private asset directories.

1. Enabling Password Protection in cPanel

The cPanel interface automates the creation of the encrypted .htpasswd file and the corresponding .htaccess directives.

1. Log in to cpanel.hovixa.com.
2. Navigate to the Files section and click Directory Privacy.
3. Locate the directory you wish to protect. Click Edit next to the folder name.
4. Check the box for Password protect this directory.
5. Enter a name for the protected resource: This string (the "Realm") appears in the browser's login prompt (e.g., "Private Staging Area").
6. Click Save.

2. Creating Authorized Users

Once the folder is locked, you must provision specific users who are allowed to bypass the challenge.

1. On the same Directory Privacy screen, scroll down to the Create User section.
2. Username: Enter a unique identifier.
3. Password: Generate a strong password. cPanel will automatically hash this using the MD5 or Crypt algorithm before storing it in .htpasswd.
4. Click Save.

3. Manual Implementation Details (.htaccess)

When you enable Directory Privacy, cPanel injects the following block into the .htaccess file within that folder. Understanding this syntax is critical for troubleshooting:

AuthType Basic
AuthName "Private Staging Area"
AuthUserFile "/home/username/.htpasswds/public_html/folder/passwd"
require valid-user
    

• AuthType Basic: Specifies the standard HTTP authentication protocol.
• AuthUserFile: The absolute path to the file containing the encrypted credentials. Note that for security, cPanel stores this outside of your public_html.
• require valid-user: Instructs the server to grant access only if the user provides credentials found in the AuthUserFile.

4. Troubleshooting and Edge Cases

• 401 Unauthorized Error: This is the expected behavior for users without credentials. If you are entering the correct credentials and still seeing this, check if the AuthUserFile path in your .htaccess is accurate.
• Conflict with Redirects: If you have "Force HTTPS" rules in your primary .htaccess, ensure they don't conflict with the Auth challenge. The Auth challenge usually triggers before mod_rewrite.
• AJAX / API Issues: Basic Auth can break automated scripts or API calls to your site. You may need to whitelist specific IP addresses or use a more advanced authentication method for programmatic access.
• Caching: Browsers cache Basic Auth credentials for the duration of the session. To "log out," you must close all instances of your browser.

Security Note: Basic Auth sends credentials in plain text unless the connection is encrypted. Always ensure your site is running over HTTPS before using Directory Privacy.