A Simple PHP .htpasswd Manager

Sometimes simplicity is also convenient, and in the case of authentication on the most popular web server, Apache, .htpasswd fits the bill

You may opt for a PHP/MySQL login which in itself is simple enough, but requires the availability of MySQL. If you are on a cheap shared host, MySQL may not be available or is available for a fee.

About .htpasswd

.htpasswd can allow you to authenticate users and restrict access to particular areas of your site. Usernames and passwords are stored in a plain text file with passwords encrypted, while the default setup for Apache ‘hides’ .htpasswd from direct viewing because the filename begins with a period. To enable .htpasswd, you must declare in .htaccess (or apache2.conf) that a particular directory requires authentication, and indicate what file contains your username and password combinations.

An example .htaccess file indicating that /adminarea/ requires authentication, that should reside in the same folder you require authentication for. Note that the path you reference to the .htpasswd file must be an absolute path:

And an example .htpasswd file that will reside at /var/www/adminarea/.htpasswd for the purposes of this example

Managing .htpasswd

Because some shared hosts restrict your available tools and access, it is sometimes helpful to have a PHP script that can manage your .htpasswd file when you are unable to use the command line. If SSH is disabled or command line execution is forbidden, as is often the case on shared hosts, your only other current option is to manage htpasswd via an admin area such as CPanel, which can be slow and inefficient. With this in hand, you may find the following script of interest.

This class will add users, delete users, check if users exists and update existing user’s passwords…

This gives you some basic examples to work with:

Summary of .htpasswd Class

Before running, ensure you have your .htaccess and .htpasswd files created already, .htpasswd can be left blank.

$htpasswd->htpasswd('/var/www/adminarea/.htpasswd'); – Upon initiating the class, A file pointer is created, as all the functions require reading and writing to the file

$htpasswd->user_exists($username) – Accepts the $username variable and reads .htpasswd line by line until a username within it matches $username. Returns false if $username is not matched.

$htpasswd->user_add($username,$password) – Accepts $username and $password and checks whether the user already exists. If not, $username nad $password is written to a newline at the end of the .htpasswd file.

$htpasswd->user_delete($username) – Deletes $username from the .htpasswd file. The file is iterated through line by line and a string is built containing all the details minus $username’s credentials. The resulting string is then written to .htpasswd, effectively deleting $username’s account.

$htpasswd->user_update($username,$password) – Updates $password for $username. The file is read line by line until $username is matched, after which the password is then updated. The function will return false is the username is not found.

12 Replies to “A Simple PHP .htpasswd Manager”

  1. Your php password manager code sample is much more clear and concise than other similar things I’ve found. Finding this enabled me to overcome some obstacles I’ve been facing in trying to build a PHP password manager. Is it possible to get your permission to use parts of your sample code in my project?

  2. Hello Richard.
    I agree with the Tom his statement, the script is easy to understand. What I unfortunately still lacking is a verification password. Do you have any idea how to fix that?

  3. Hey, I’m working on mostly JS and HTML website, but some parts (backend) need to be written in PHP. I’m manipulating .htpasswd file, but I also need to be able to manage groups, in .htgroups. Would you help me in making that? I’m pretty new in PHP, this is actually my first project, that contains PHP code.


  4. Thanks for building this. I found issues with the fact that many of the “\n” newline characters are “n” in the code above. Once I fixed those issues your code worked great.

    1. Hi Brian,

      I updated a bunch of code when migrating this site to new hosting, hopefully I corrected that particular error. Some of it was old code that used to get deprecated rather than error messages not so long ago.

      Thanks for letting me know.

      1. Hi Richard,

        I have the same issue that Bryan and unfortunately, the correction you made didn’t correct this so if you have any idea why..

        Thanks !

  5. Hello again,

    I truly appreciate this post.

    thanks to this, I was able to build my own object for my LAMP framework allowing for HTACCESS user / password maintenance.

  6. For more recent versions of Apache, the passwords are no longer stored like in this code. The passwords are instead generated by a salted MD5 hash with the salt and the hashed password stored after the username in the format: username:$salt$hashed_password

    So, the two functions which take a password need to take an optional 3rd parameter, which is the salt. If the salt’s provided, use the new method, otherwise use the old (which I wouldn’t recommend any longer anyway, it’s not secure enough given modern password cracker software).

Leave a Reply

Your email address will not be published. Required fields are marked *