How to Add Password Protection for a Directory Using cPanel

At times, you may find it best practice to password protect a folder on your account. This can add an extra layer of protection to files you do not want the general public to have access to. Password protecting a directory can be easily accomplished using the option within cPanel. In this guide, you can learn how to add and remove password protection on a directory, using cPanel.

How Does Password Protection Work?

It is important to understand how password protection on a folder works. When you choose to password protect a directory in cPanel, cPanel creates a rule in your .htaccess file. This rule specifies that the folder is protected and the visitor will need to provide the proper username and password to log in and view the files within it.

Don’t have time to read our full article? Watch our walk-through video.

Add Password Protection

  1. Log into cPanel.
  2. Go to the Files section and click on the Directory Privacy icon.
    cPanel Files section displayed with Directory Privacy icon highlighted
  3. Select the directory you want to password protect and then you will see the Set permissions for “/home/exampl3/directory/” screen appear.
    Set permissions for directory screen displaying directory listing with public_html directory highlighted as selection.
  4. Click on the checkbox labeled “Password protect this directory:“.
  5. Type a name for the folder you are trying to protect in the field labeled “Enter a name for the protected directory:“.
    Security Settings displayed with checkbox and name fields highlighted and filled in.
  6. Click the Save button to save the name you have entered for the directory and option to password protect the directory.
    Security Settings displayed with Save button highlighted.
  7. Create a user to grant access to the protected directory by typing the credentials into the Username, New Password and Confirm Password fields.
  8. Click Save in order to save the credentials that you have entered.

    Create User section displayed with Save button highlighted.

Remove Password Protection

The steps to remove password protection on a directory are fairly quick and simple. One reason you might want to password protect a directory and then remove the protection is for testing purposes. Or, if you are finally ready to make the folder open to the public, then you can remove the password protection so that everyone can access the files in the directory. The instructions below are the steps for removing the password protection.

  1. Log into your cPanel.
  2. Scroll down to the Files section in your cPanel and then click the Directory Privacy icon.
  3. Select the directory from the list of folders that you want to remove password protection for. The directory should appear with a lock in front of it if it is currently password protected.
  4. Uncheck the box that says “Password protect this directory“.
  5. Finally, click the Save button.

If you have further questions or need further assistance please feel free to contact our Live Technical Support.

16 thoughts on “How to Add Password Protection for a Directory Using cPanel

    1. Hello EM – in general the credentials needed for access are based on a username and then a password. This allows for the identification of the access. Additionally, if two-factor authentication is added, then the authentication is configured on the user. There are options for SSO (single sign on), but it depends on the software that you are using.

  1. When I password protect a directory that contains some files that I include in php via “require(‘/protected_directory/filename.php’)”? Will this still work? I.e., does the server still have access to those files?

  2. Confusion arises because there are two Save buttons in the Directory Privacy dialog, that don’t do the same thing. The first is to protect the directory, Yes/No. You MUST save this after checking the box. The second Save is to commit a user name and password. If you (as I often have) clicked the second Save, assuming the buttons are duplicates that cover both tasks, that’s probably the source of the problem.

  3. Ronnie, I believe you’re talking about the padlock that appears in the Location box of the browser, while Jim is talking about the padlock that appears in the cPanel Directory Privacy dialog, next to each directory name in the tree, which has two states: either a folder icon or padlock. You can have some directories that are protected and some unprotected, and yes that cPanel padlock indicates that status. Whereas the padlock in the Location bar would be the same over all directories in the domain/subdomain covered by the SSL certificate. There’s a chance I’m wrong but it’s a small chance. I’ll bet 10 bucks.

    I’m having a problem with this: users are prompted for the username/password, enter them, and get an error. Then repeat and it goes through the second time. It happens often enough that I know it’s not a mistyping issue. I thought it might be that the parent folder is protected too, but that’s not the case.

    1. Hello Val – this really depends on if you WANT people to be able to access the file. If you don’t then the best way is to prevent access of this nature using .htaccess code. We have a tutorial called How to prevent access to multiple file types in htaccess. This will allow users to view the file only if you intend for the file to be viewed in a browser. Let us know if you continue to require assistance with this issue. If you use this option, make sure to remove the changes you made in the File Manager. That type of file protection won’t be necessary after the .htaccess change is made.

  4. No. I had success with password protecting at least one directory — but no success with password protecting other directories.

    Ronnie said: The padlock is normally associated with HTTPS/sites secured with SSLs, not password protection.

    What is this “normally”. It either is or it isn’t. The directories that I did password protect shows the padlock.

    1. Hey Jim! What a padlock represents varies from one browser to another. On Chrome and many other popular browsers, the padlock is going to show that a site is secured with HTTPS and has nothing to do with directory passwords. That can be changed with certain browser configurations (and may even mean something different for other browsers), so that’s what I meant by ‘usually.’

      If you’re only able to password protect one directory, it’s likely that there is some conflict between the .htaccess files of the directories it is not working for– especially if the directories are nested within each other. You’ll need to take a look at code in the individual .htaccess files for each directory to find out what is causing the conflict.

  5. I followed steps but directory still not protected, no lock showing either. Does it take time for server cache to clear for client requests?

    1. Depending on your DNS settings, and if you are using a CMS, it may be a caching issue. If you’re on an NGINX/WordPress specific server, ogclear/purge the NGINX cache. The padlock is normally associated with HTTPS/sites secured with SSLs, not password protection. You would need to enable that separately. Also, be sure that cPanel is selecting the directory you want to password protect and not creating a sub-directory within the one you thought you selected– the directory interface can be a bit counterintuitive in that regard sometimes!

    1. When you add the password protection, the additional Directory Name is just something to help you keep track of new password protections you are implementing.

Was this article helpful? Join the conversation!

Questions about our MailChannels Deployment? We have answers and are here to help!Learn More
+