What is an Htpasswd File?
An .htpasswd file is a flat-text database used by Apache and Nginx web servers to store usernames and hashed passwords for HTTP Basic Authentication. When combined with a .htaccess file, it lets you password-protect any folder, admin panel, staging site, or cPanel directory — without any database or CMS plugin.
This is one of the most widely used security techniques for web hosting in India — especially on shared hosting providers like Hostinger, BigRock, GoDaddy India, and Bluehost India, all of which run Apache with cPanel. If you want to lock down your WordPress admin (/wp-admin/), a client staging site, or a private download folder, generating a secure .htpasswd entry is the fastest way to do it.
🔐
Bcrypt — Best Choice
Adaptive hashing with a built-in cost factor. Extremely resistant to brute-force attacks. Use this for all new setups on Apache 2.4+ or Nginx.
⚠️
Apache MD5 ($apr1$)
Salted MD5 variant specific to Apache. Compatible with virtually all cPanel hosts. Better than plain MD5 but weaker than Bcrypt.
🚫
SHA-1 — Legacy Only
Supported everywhere but cryptographically broken. Only use if your hosting environment forces it — switch to Bcrypt whenever possible.
🛡️
100% Private
All hashing happens in your browser using open-source JavaScript libraries. Your username and password never leave your device.
How to Use the Generated .htpasswd Entry
Step 1: Generate your entry above and copy it. Step 2: Create (or edit) a file named .htpasswd in a private directory on your server — not inside your public web root. Paste the entry as a new line. Step 3: In your .htaccess file inside the folder you want to protect, add the snippet shown above — update the AuthUserFile path to match where you saved your .htpasswd file. Step 4: Save both files. Test by visiting the folder in your browser — a login prompt should appear immediately.
For WordPress users specifically, adding HTTP Basic Auth in front of /wp-admin/ is one of the most effective ways to block automated brute-force login attacks — it stops bots before they even reach the WordPress login page.
Frequently Asked Questions
What is an .htpasswd file and why do I need it?+
An .htpasswd file stores usernames and hashed passwords used by Apache or Nginx to restrict access to folders or pages via HTTP Basic Authentication. You need it any time you want to password-protect a directory — such as a staging site, admin panel, or private download area — without installing a plugin or modifying application code.
Which hash algorithm should I choose?+
Always choose Bcrypt if your server supports Apache 2.4 or later (most modern shared hosts do). Bcrypt is adaptive — it's designed to be slow and computationally expensive, making brute-force attacks impractical. Use Apache MD5 ($apr1$) only for older setups. Avoid SHA-1 unless absolutely required — it is cryptographically broken.
Where should I save the .htpasswd file?+
Save it outside your public web root — for example at /home/username/.htpasswd rather than /public_html/.htpasswd. If placed inside the public web root, someone could potentially download it. On cPanel hosting, the home directory above public_html is the correct location.
Can I add multiple users to one .htpasswd file?+
Yes. Each line in the .htpasswd file represents one user in the format username:hashedpassword. Generate an entry for each user using this tool and append each line to the same .htpasswd file. All users listed in that file will be able to log in.
Does this tool send my password to any server?+
No — never. All hashing is performed entirely in your browser using open-source JavaScript libraries (bcryptjs for Bcrypt, pure-JS implementations for MD5 and SHA-1). Your username and password are never transmitted to any server, never logged, and never stored anywhere.
Will this work on cPanel hosting in India?+
Yes. cPanel uses Apache, and all major Indian hosting providers — Hostinger India, BigRock, GoDaddy India, Bluehost India, MilesWeb — support .htpasswd authentication. Use the Apache MD5 format for maximum compatibility, or Bcrypt if your cPanel version runs Apache 2.4+.