1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 12:54 pm May 1, 2026

Forum Moderators: phranque

Message Too Old, No Replies

Any vulnerabilities in using .htaccess for password protection?

Is it possible for someone to 'hack' there way in...

         

Synthetic

9:07 pm on Dec 10, 2003 (gmt 0)

10+ Year Member



In using .htaccess to password protect a file or directory, are there any known vulnerabilities that would allow someone to bypass the login?

Setting up .htaccess to secure a site just seems so easy, and so I would suspect that it wouldn't be any harder of a task for someone to 'hack' there way in and bypass whatever security precautions you have set in place.

Am I correct? If so, what can be done about this?

jdMorgan

4:34 am on Dec 11, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Synthetic,

I'm no security expert, but look out for these basics:

  • .htaccess must be inaccessible from HTTP. In other words, disallow web-access of .htaccess itself.
  • Do not keep the .htpasswd file in the directory that it protects.
  • Do not allow anonymous ftp on the site. Otherwise, ftp is a 'back-door' throught which your .htaccess and .htpasswd files can be examined.

    Apache Authorization [httpd.apache.org]
    Apache security [httpd.apache.org]

    Jim

    •  

    Join The Conversation

    Moderators and Top Contributors

    Hot Threads This Week

    1. Home
    2. Forums Index
    3. Server Side / Apache Web Server 12:54 pm May 1, 2026