I was just rooting through the 000webhost support ticket to answer the oldest ones when i stumbled upon an user asking how to protect directories on his website. Gladly i checked the “Password Protect Directories” option in the 000webhost.com control panel before answering his ticket and guess what? Since the 000webhost.com hack and the fixes 000webhost.com implemented to not have their site hacked again a few things seem to be broken. The “Password Protect Directories” option being one of them.
Before the changes were made it used to be a rather simple and straightforward process. All you had to do is to locate the “Password Protect Directories” option in the 000webhost.com control panel, then open it and specify the directory to protect, the username and password for .htaccess, confirm both and then the protected directory showed up in the list of directories right below those input fields. Well, things have changed and either i am too dumb to put a password that meets the 000webhost.com requirements as far as password strength is concerned or the system broke after they applied some more security to their systems. Here is what i did just a few minutes ago and failed miserably.
Password Protect Directories not working
Before replying to the ticket i went into my 000webhost.com control panel, opened the “Password Protect Directories” option in the control panel to test if things still work the way they did since the last time i used it. So on the next page i entered a directory to protect, which i had created a few seconds before, and keyed in user name and password. Not some uber-complicated password as i just wanted to test the functionality, it contained letters, numbers and an asterisk only. Here is what i got back from 000webhost.com when submitting the form.
Ok, failed. The error message says the password must only contain letters and numbers, so i tried to password protect the same directory with a less complicated password. This time it was letters and numbers only. After submitting the form i got the same error message back from 000webhost.com. Ok, next attempt. Knowing that i used one capital letter in the last password this time i used all small letters and numbers again. Guess what? Same error message about the password again. Only letters and numbers are allowed in the password. Well, that’s exactly what i put into the password field. I even typed the password i used in notepad to see if there’s something wrong with the keyboard but, not surprisingly, the keyboard and password were fine. So despite me using a password that met the 000webhost.com password criteria of only letters and numbers the system did not accept it for whatever reason.
I tried a number of passwords consisting of letters and numbers to no avail. No matter what i put as password, the system wouldn’t accept it. Finally i gave up on protecting a subdirectory and tried adding .htaccess/.htpasswd protection to the root directory (public_html), assuming that there is something wrong with their system when it comes to protecting subdirectories. To my surprise protecting the public_html directory did not show a warning message about the password containing invalid characters (i tried numbers and letters only anyway). This time the error message was a different one as you can see in the screenshot below
This time the form said “Uninitialized string offset: 0” which in most cases is a coding error in the file checking the input. So it looks like the “Password Protect Directories” option in the 000webhost.com control panel isn’t working really. I’ll leave a note on their helpdesk blog to make them aware of this issue and it would be great to hear from you if you have similar problems with 000webhost.com when it comes to password protecting directories. For now it looks like password protection for certain directories will have to be added manually by putting a .htaccess and a .htpasswd file with the necessary details in them. If time allows i’ll write a small tutorial on how to do that at 000webhost.com, though it is not specific to 000webhost.com but can be used with pretty much all the hosting companies out there (as long as they support it ofc.).