This article describes how to restrict access to your website entirely or partly on the following platforms:

Windows 2003

To restrict access to your website:

  1. Navigate to HostPilot® Control Panel > Web/FTP Server > Web Server > Settings and Permissions > Web Server Settings

  2. Click Select a Directory, select a desired folder, then wait until you see the directory opened and click Select button
  3. Under User/File level permissions section, select the directory you want to password-protect. Set Anonymous permissions to None.
  4. Under Web Server Settings, un-check Allow Anonymous Access. Disabling this option will cause password prompt pop-up for this directory regardless of anonymous user permissions level
  5. Click Save Changes button.

No matter which method you use to password-protect your directory, you should always test to make sure it works.

Note: If you have FrontPage 2000/2002 extensions installed, follow the guidelines of the Knowledge Base article on How Do I Restrict Access To My Site Using FrontPage?.

Windows 2008

There are two options for restricting access to your website, depending on whether you want all users or only certain users to be able to access certain directories.

a) To restrict access to certain directories on your website and only allow certain site users to view or edit them:

  1. Create a new user (or several users) who will have access to the restricted area on the site.
  2. Go to Access Permissions and select the folder that you need to restrict access to (all the sub-folders of the selected folder will inherit the same access restrictions).
  3. Set Anonymous user access to Deny.
  4. Make sure the user(s) you created have Read (or Read\Write) permissions in the Allow state.
  5. Click Save Changes button.

b) To restrict access to certain directories on your website but allow all site users to view or edit them:

Although it is possible to allow all users to access the same restricted folder using the first option described above, you can also achieve the same results by modifying access permissions for the AllUsers group.

  1. Follow the steps 1 through 3 above.
  2. Click Switch to Group permissions button.
  3. Set Read (or Read\Write) access to Allow for the AllUsers group.
  4. Click Save Changes button.

Now all the users created on the account will automatically gain access to the restricted area you have specified.

Note: If you have adjusted permissions for users and groups, but do not receive the password prompt when browsing to the protected area, you may need to connect to your web server with IIS Remote Manager and make sure that Basic Authentication is enabled in the IIS > Authentication applet.


To password protect a directory, two files should be created in this directory:

a) .htpasswd, holding user names and encrypted passwords information

When a user tries to access a password protected directory, it prompts for a user name and password. In order to determine whether a username/password combination supplied by the user is valid, it is compared with the authoritative listing of usernames and password. This listing is stored in a file, which you need to create on the server. This file is called .htpasswd. We offer a Wizard to help you creating .htpasswd file in HostPilot > Linux > Apache Server > Manage Web Passwords.

 First, you need to select a directory you want to password protect and select an Encryption method that will be used to encrypt passwords in .htpasswd file from the following list:

  • CRYPT encryption of the password (default); <Type: Basic>
  • MD5 encryption of the password; <Type: Basic>

To create/delete users' logins and passwords you need to click on the Edit button for an appropriate .htpasswd file.

Note: It is possible to rename .htpasswd file or create it manually with a different name, but it is recommended that the file name begins with .ht, because by default Apache servers are configured to not allow anyone to download files starting with .ht.

b) .htaccess to tell Apache to use .htpasswd file, the path to the file and specify Authentication Type used in .htpasswd.

Once you have created .htpasswd password file holding user name and password information, you need to tell Apache to use this .htpasswd file in order to require user credentials to access. This is where you need .htaccess file. To accomplish directory password-protect task, you need to place the below directives in an .htaccess file in the directory that is being protected:



Authentication type being used. In case you password protect directories using HostPilot Wizard, please set AuthType to 'Basic';



The authentication realm or name, that will be displayed in the password pop-up box, where the user will have to type their credentials. Multiple words require quotes;



The location of the password file that should specify a complete path to .htpasswd file (starting with: /imedia/users/username/htdocs/…/.htpasswd), where "username" is a name of the account you have with Intermedia;



The location of the group file, if any, that should specify a complete path to .htgroup file, if you are using it (not required);



Describes the requirement(s), which must be satisfied in order to grant admission. This can be used for various directives, for example allowing specific type of access (READ, GET, POST) or limit access to specific users or groups.

Note: .htaccess file should be created in the directory you want to password protect and once .htaccess file has been placed in a directory, everything in that directory (including all subdirectories and their contents) will be protected.

A simple .htaccess file may look like:

AuthType Basic

AuthName "By Invitation Only"

AuthUserFile /imedia/users/username/htdocs/dir_name/.htpasswd

<Limit GET POST>

require valid-user


In this example <Limit GET POST> specifies that the limits will be set on GET's and POST's. require valid-user will set area restrictions such that the user must have a valid login.
HTTP Read access will not require username and password.

Note: An .htaccess file is a text file containing Apache directives controlling directory setting. Those directives apply to the documents in the directory where the .htaccess file is located, and to all subdirectories under it as well. So, if you need to make one directory password protected and a subdirectory under this directory – not, you need to place an additional .htaccess file in this subdirectory overwriting settings for the directory above. In other words, than Apache does not find the .htaccess (or other files with directives) for any particular directory, it looks for it in a directory one level above. If the file is not there, it looks again in above directory, and so on. Thus, if needed, you can have one .htpasswd file created and refer to it from .htaccess files located in different directories.

For more details on authentication please refer to Apache documentation on Authentication and Authorization.