.htpasswd location

I am using the Directory Privacy utility to establish password protection for my site. It creates the .htaccess and .htpasswd files and places them in the main directory under “htdocs.”
I know the .htaccess file must be there, but all the advice I get is to not locate the .htpasswd file in a directory that can be accessed by a site visitor.
The problem is that I cannot move or recreate the .htpasswd file anywhere else. If I try to create or copy a file into the root level that I have access to via the file manager (the level just above the “htdocs”) I get error messages.
Two questions:

  1. Is it true that my site is much less secure from unauthorized access if the .htpasswd file is accessible at the same level as the .htaccess file?
  2. If so, how do I locate that file elsewhere?

I can’t think of any legitimate reason why this would be the case. The web sever recognizes that .htaccess files and .htpasswd files are internal, and doesn’t serve them to visitors. Other webservers may not use these files, but if they have been configured correctly, they shouldn’t serve these files either.

You cannot upload files outside of your website directories on free hosting. So you can’t do that.


Thank you for your response. I understand that I can’t put the file elsewhere and that the server understands not to serve that file. But here is an example of many similar that I’ve seen that advise not to put the .htpasswd file in that location. One of the people said it was like owning a very secure safe but taping the key to the safe on the door of the safe.

No need to reply, I just thought I would relay the above to you.

  1. If a user ask for .htpasswd, they’ll be asked for a password. Perfect catch-22.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.