TutorialsISPConfig

Blocking or password protecting a directory in ISPConfig

Learn how to block or password protect a directory in ISPConfig, following the necessary steps to secure your data. Detailed tutorial available here.

1
Views 328Updated 3 luniPublished on 28/11/2022by Ştefan Tracsek

How to block or password-protect a directory in ISPConfig

Quick file protection with username and password, directly from the ISPConfig panel.

If you have a folder with sensitive files (backups, administration zones, reports, exports), the simplest way to prevent unauthorized access is to protect it with username + password authentication. In ISPConfig you can do this without manually editing server files, using the Protected Folder feature.

Table of Contents

Requirements and Things to Know

  • You have access to the ISPConfig panel and the website (domain) you want to protect.
  • The website is hosted on a server where ISPConfig manages the web configuration (Apache and/or Nginx).
  • You know the path of the folder you want to protect (for example /public_html/admin or /public_html/private).
Note: Password protection is ideal for folders that should not be publicly indexed. If the folder contains resources needed by the public (images/CSS/JS), the site may appear "broken" after activating the protection.

Recommended method: Protected Folder in ISPConfig

ISPConfig allows you to define a protected folder for a specific website. Depending on the version/theme, the options may appear in the form of a tab or sub-menu called Protected Folder / Folder Protection.

Step 1: Identify the correct website

  1. Log in to ISPConfig.
  2. Go to the Sites menu.
  3. Enter the Website and select the desired domain.

Step 2: Add a protected folder

  1. On the website page, look for the section/tab Protected Folder (or a similar menu).
  2. Click Add new Protected Folder.
  3. Fill in the fields (the names may differ slightly):
    • Folder / Path: the relative path of the folder, for example /admin or /private.
    • Active: check/enable protection.
    • Title / Realm (optional): a name displayed in the authentication window, for example Protected area.
  4. Save the settings.
Tip: If you are unsure of the path, check the structure in the File Manager (if you have one) or via SSH. Most often, the public directory is public_html, and the folders inside are placed as /folder-name.

Creating the user and password

A protected folder requires at least one user. In ISPConfig, there is usually a separate section for Protected Folder Users (or similar).

  1. In Sites search for Protected Folder Users.
  2. Click Add new User.
  3. Complete:
    • Username: example admin or ciprian
    • Password: choose a strong password (minimum 12-16 characters, mix of letters/numbers/symbols)
    • Protected Folder: select the folder created in the previous step
    • Active: active
  4. Save.
Warning: Avoid short or reused passwords. Basic Auth can be secure if the site uses HTTPS. Without HTTPS, data can be intercepted.

Testing and Verification

  1. Access the protected folder in the browser, for example https://domeniu.tld/admin/.
  2. A window should appear asking for username and password.
  3. Enter the created credentials and confirm access.

If the authentication prompt does not appear, check the "Frequently Asked Questions" section below.

Alternative: manual protection with .htaccess

If you prefer manual control (or cannot find the option in ISPConfig), you can protect a folder with .htaccess and a password file .htpasswd. The method works in the classic way on Apache.

Note: In many ISPConfig configurations, manual changes may be overwritten during regenerations. The recommendation is to use the options from the panel when available.

Example of .htaccess (in the protected folder)

AuthType BasicAuthName "Protected Area"AuthUserFile /var/www/clients/clientX/webY/.htpasswdRequire valid-user

Creating the .htpasswd file

On the server, you can create a user in .htpasswd with the command (example):

htpasswd -c /var/www/clients/clientX/webY/.htpasswd admin

The -c parameter creates the file. For additional users, run without -c.

Frequently Asked Questions

1) The login window does not appear

  • Check if the protected folder is Active.
  • Make sure the user is associated with the correct folder.
  • If you are using Nginx, authentication requires specific configuration (auth_basic) and may depend on the ISPConfig template.
  • Clear your browser's cache or test in Incognito.

2) You receive 403 Forbidden after authentication

  • Incorrect permissions on files/folders (rights and owner).
  • The index file is missing (for example, index.php or index.html does not exist and directory listing is disabled).

3) The site "breaks" after protection

  • You have protected a folder that contains public resources (CSS/JS/images) necessary for the pages.
  • Solution: only protect the sensitive subfolder (e.g.: /admin) and not the assets folder.
 

Done, now your folder has a barrier at the entrance, like an exclusive club. If you want, you can tell me the structure of the site (which folder you want to protect and whether it's Apache or Nginx) and I'll give you the cleanest version, without surprises.

If you run a managed VPS or need help with web settings, the support team can quickly check the server configuration and apply security protection.

Similar Articles

Configuring PHP directives in cPanel on VPS hosting packages using MultiPHP INI EditorTutorials /cPanel

This article describes the steps necessary to configure PHP directives on VPS hosting packages using MultiPHP INI Editor.

3
by Sebastian Szlivka
Views 1104
Updated 1 year ago
Published on 26/10/2017
Adding a Website type domain in the ISPConfig control panel.Tutorials /ISPConfig

In this article, we will present the necessary steps to add a Website type domain (main domain) in the ISPConfig control panel.

1
by Eduard Konievic
Views 1043
Updated 3 years ago
Published on 01/11/2022
Setting up a Catchall filter for a domain in the ISPConfig control panel.Tutorials /ISPConfig

This tutorial will present the necessary steps to set up a Catchall filter that will redirect all messages sent to a nonexistent email inbox to another inbox.

1
by Alexandru Jurca
Views 584
Updated 1 year ago
Published on 29/11/2022
Adding a TXT record in the ISPconfig control panel.Tutorials /ISPConfig

In this tutorial, we will present the steps necessary for adding a TXT type DNS record in the ISPConfig control panel.

by Florin Petran
Views 1976
Updated 1 year ago
Published on 22/11/2022
Adding a Subdomain for Website in the ISPConfig control panel.Tutorials /ISPConfig

This article will present the necessary steps for adding a Subdomain for Website, which will load the content of a Website type domain in the ISPConfig control panel.

by Eduard Konievic
Views 1358
Updated 3 years ago
Published on 04/11/2022
CornerCorner