Password-Protecting a Directory
Directory Privacy lets you put a username-and-password gate in front of any folder on your site. Visitors must sign in before the browser will show anything inside. It's a quick way to lock down a staging area, an admin folder, or private downloads.
What Directory Privacy Does
When you protect a folder, the web server prompts every visitor for credentials before serving any file in it. Only the users you create can get through. Nothing inside the folder is exposed to search engines or the public until someone signs in.
Protecting a Folder
- Log into cPanel.
- Go to Files → Directory Privacy.
- Browse to and click the folder you want to protect.
- Check Password protect this directory.
- Enter a label (for example,
Staging Area). This text appears in the browser's login prompt. - Click Save.
Creating an Authorized User
Protecting the folder is only half the job — you also need at least one login:
- On the same page, scroll to Create User.
- Enter a username and a strong password (use Generate for a random one).
- Click Save.
How It Works Behind the Scenes
Directory Privacy uses two small files that cPanel writes into the protected folder:
.htaccess— tells Apache to require HTTP authentication for that folder and everything below it..htpasswd— stores the authorized usernames and their hashed passwords.
Together they trigger the standard browser login box (HTTP Basic authentication). You don't need to edit these files by hand; cPanel manages them for you.
Good Use Cases
- A staging area where you preview site changes before they go live.
- An admin folder or internal tool you don't want the public to find.
- Private downloads, drafts, or client deliverables meant for a specific audience.
Removing Protection
- Return to Files → Directory Privacy and select the folder.
- Uncheck Password protect this directory.
- Click Save.
.htaccess can cause a Forbidden error. Our 403 Error guide explains how to track down and fix the cause.