HTPorter v1.0.5

Apache .htaccess / .htpasswd management directly in the browser. No terminal, no database, no framework – just upload and go.

---

Features

• Single PHP File – no installation, no dependencies
• One .htpasswd per directory – precise access control, each directory has its own password file
• User takeover – take over existing users from other directories via dropdown
• Permission check – real test write attempt before every action, no success message without actual success
• EXT toggle – show or hide external directories (e.g. WordPress, shop systems)
• Light/Dark Mode – switchable, setting is saved
• Bilingual – German and English, switchable via button
• APR1-MD5 hashing – compatible with every Apache server, including shared hosting

---

Compatibility

The script itself runs on any server with PHP – shared hosting, Raspberry Pi, VPS. Directory protection via .htaccess works exclusively with Apache. Nginx, Angie and other web servers do not support .htaccess.

Before installation, the HTPorter-Check is recommended – it checks whether the server meets all requirements.

---

Requirements

• Apache web server
• PHP version 7.4 or higher
• Write permissions for PHP in the web root and subdirectories

---

Installation

1. Upload htporter.php to any directory on the server
2. Open the file in your browser, e.g. https://your-domain.com/htporter.php
3. Done

---

Server Check

Before installing HTPorter, htporter-check.php can be used to verify whether the server meets all requirements. The check runs two real end-to-end tests – one with APR1-MD5 hash and one with bcrypt hash – and displays the result clearly in the browser.

1. Upload htporter-check.php to the server
2. Open it in the browser
3. Read the result
4. Delete the file

---

How it works

Architecture

Each protected directory gets its own .htpasswd file directly inside it. This file contains only the users who should have access to that directory. Apache reads the .htpasswd of the respective directory on access – a user from directory A cannot automatically access directory B, even if the username and password are identical.

Access control

HTPorter uses Require valid-user in the .htaccess. Since each directory has its own .htpasswd, access control per directory is still precise.

Password hashing

HTPorter uses the Apache APR1-MD5 hash algorithm. This works on every Apache server without additional modules, including shared hosting.

Permission check

Before every action, HTPorter checks whether PHP can actually write to the target directory – through a real test write attempt. If a write operation fails, an error message appears – there is no success message without actual success.

---

Directories

• Overview – all subdirectories of the web root are listed with their status: Protected, Public or External
• Create – new directories can be created directly in the script, including nested ones. Example: tree/birch creates the directory birch inside tree – both levels are created automatically.
• Delete – directories can be deleted recursively (including all contents). A confirmation prompt appears.

Directory Protection

• Set up – .htaccess and .htpasswd are created directly inside the directory. The first user can be created new or taken over from another directory.
• Remove – .htaccess and .htpasswd are deleted from the directory.

User Management

• Add – new username with password, or take over an existing user from another directory via dropdown
• Change password – only in the .htpasswd of this directory, other directories remain unchanged
• Delete – only from the .htpasswd of this directory, other directories remain unchanged
• The delete button only appears when more than one user exists

---

Interface

• Bilingual – German and English, switchable via button top right, setting is saved in a cookie
• Light/Dark Mode – switchable via icon top right, setting is saved in browser localStorage, default is Light
• EXT toggle – shows or hides directories with external .htaccess, default is visible, setting is saved in browser localStorage
• Click on the title – reloads the start page

---

Notes

Web root cannot be protected

HTPorter only shows subdirectories of the web root and can only protect these. The web root itself does not appear in the list and cannot be secured via HTPorter.

Detection of external directories

HTPorter reads the .htaccess of each directory and looks for the line Require valid-user. If this line is present, the directory is considered protected by HTPorter. If an .htaccess exists but without Require valid-user, the directory is displayed as External.

Security

• HTPorter itself has no built-in access protection. It is recommended to remove the script from the server after use.
• It is recommended to activate Fail2Ban on the server to block automatic brute-force attacks on protected directories. Fail2Ban automatically blocks IP addresses after too many failed login attempts.

---

Changelog

v1.0.5

• Initial release
• Create, protect, manage and delete directories
• One .htpasswd per directory directly inside it
• Add users, take over (dropdown), change password, delete
• APR1-MD5 password hashing
• Real test write attempt for permission check
• All write operations with return value check
• EXT toggle for external directories
• Bilingual interface German / English
• Light/Dark Mode

---

License

MIT License – free to use, modify and distribute.

---

Note

This project was developed with the assistance of AI.

---

Screenshots