Welcome to WebmasterWorld Guest from

Forum Moderators: Ocean10000 & phranque

Message Too Old, No Replies

Any vulnerabilities in using .htaccess for password protection?

Is it possible for someone to 'hack' there way in...

9:07 pm on Dec 10, 2003 (gmt 0)

New User

10+ Year Member

joined:Nov 21, 2003
votes: 0

In using .htaccess to password protect a file or directory, are there any known vulnerabilities that would allow someone to bypass the login?

Setting up .htaccess to secure a site just seems so easy, and so I would suspect that it wouldn't be any harder of a task for someone to 'hack' there way in and bypass whatever security precautions you have set in place.

Am I correct? If so, what can be done about this?

4:34 am on Dec 11, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 31, 2002
votes: 0


I'm no security expert, but look out for these basics:

  • .htaccess must be inaccessible from HTTP. In other words, disallow web-access of .htaccess itself.
  • Do not keep the .htpasswd file in the directory that it protects.
  • Do not allow anonymous ftp on the site. Otherwise, ftp is a 'back-door' throught which your .htaccess and .htpasswd files can be examined.

    Apache Authorization [httpd.apache.org]
    Apache security [httpd.apache.org]