I’m just finishing up my first site and want to give site security a lot of thought before going live. My first question, then is how to keep certain folders to be seen by anyone; in these folders I have config files with database passwords. I just noticed that upon creating a phpAdmin database backup, my host (GoDaddy) put the backup in a folder that it created with a file named


The contents of the file were:

AuthType Basic
AuthName “User Backups”
AuthUserFile /home/content/a/b/c/html/stats/.statspwd
require valid-user
Options +Indexes

From a bit of web reading, is it true that if I put this file in any folder then nobody can access it? What exactly is the file doing?

Thanks so much,


That particular code will present a username/password screen to anyone who visits the directory (or any subdirectory within that directory) where the .htaccess resides.
The username/password combinations are stored in the file /home/content/a/b/c/html/stats/.statspwd

Normally for directories containing config files etc you’d just want to deny access to anyone, which you can do with the following .htaccess:

deny from all

Yes, it that’s simple :slight_smile:

PS. Even better would be to put the config files in a directory outside the public html directory, but not all hosts allow this.

Thanks so much for the quick reply. And just to clarify then, the folder with the “deny all” .htaccess will not allow anyone to get in to any of the files?

Also, why would it be “better” to move them from the public directory? :slight_smile:

In other words, just how secure is my .htaccess folder?

Thanks again,


The folder with the “deny all” will indeed lock everyone out.

I personally think it’s better to have the directory with configs etc out of the public directory because that way it’s not accessible by anyone browsing your website period. If you ever remove that .htaccess or the server goes bonkers and doesn’t process .htaccess files the way it should the directory is wide open.

Then again, this is probably more a mild form of paranoia than anything else, but if you have the option to put files outside the public directory I’d take it :slight_smile:

Got it! And, thanks for all your help and your clear answers. Enjoy your weekend…