WordPress web directory password protection allows you to secure and manage your content on the webserver level. Once protected, users have to log in to access your secured site content.
In this article, we will introduce what a .htaccess file is and how to use it to password protect your entire WordPress website, certain pages, as well as files. Let’s get started with the basics!
- What Is the .Htaccess File?
- Password Protect Your Web Directory Using .Htaccess File
- Restrict Access to Everyone Except Specific IP Addresses
- Password Protect WordPress Files Using .Htaccess
- Lock WordPress Site Content with PPWP Pro Plugin
What Is the .Htaccess File?
The .htaccess file refers to a configuration file read by the server. It helps you handle server configuration settings. This file can be used to control cache, optimize your site, and reset permalink structure. You can also create a redirection from non-www to www URLs with the .htaccess file.
After installing your WordPress website on the Apache webserver, you can look for this file in the root directory. Sometimes, the .htaccess file is hidden. You need to enable the show hidden files option to view it.
Password Protect Web Directory Using .Htaccess File
Directory password protection restricts unauthorized access to files in a directory via usernames and passwords.
Besides the .htaccess file, you’re also required to create a .htpasswd to make your directory password protection work properly. While the .htaccess file contains the password protection directive, the .htpasswd file contains the required username and password.
These 2 steps will guide you on how to create .htaccess and .htpasswd files, and password protect a directory with them.
Step 1: Create .htaccess and .htpasswd files
To generate a .htaccess file, you need to:
- Login to your hosting server
- Create a .htaccess file. Make sure you add this file to the directory you want to password protect.
- Copy this code and paste into your .htaccess file
AuthType Basic AuthName "Protected Area" AuthUserFile /full/path/to/.htpasswd Require user [Username]
There are a few things in the code you should notice:
- The line /full/path/to/.htpasswd designates the server path to the .htpasswd file
- You should replace [Username] with your own usernames.
Here is an example:
AuthType Basic AuthName "Password Protected Area" AuthUserFile /usr/local/username/safedirectory/.htpasswd require user User1 User2 User3
Now, it’s time to add the .htpasswd file:
- Create a new file on your PC and name it .htpasswd
- Enter the credential information in the form below
[Username]:[EncryptedPassword]
Instead of thinking up a password on your own, try an encrypted password generator to create strong random passwords effortlessly. If you want to provide multiple accounts, set each username on a new line.
User1: vC-;"5;n4Gn3Y User2: uN8v!e%Mvet User3: $6V3bS7ukRq_
Step 2: Upload the .htaccess and .htpasswd files to your webspace
Once creating 2 files .htaccess and .htpasswd, you need to upload them to your /wp-admin directory to activate the password protection.
You can bypass .htaccess protection via IP addresses. In other words, users from specific IP addresses are able to access your content without having to enter usernames and passwords. Not only the directory but also page and file protection are all supported.
Restrict Access to Everyone Except Specific IP Addresses
This method authorizes you to grant a specific IP address direct access to your directory without requiring the username and password. Others not having the right IP address have to fill in the form with the correct credential information.
You may use this method to create an extranet website to communicate and share projects with clients. In case your site is in underdevelopment mode and you want your team members such as editors or developers to view it only, this method also comes in handy. These specific people don’t have to enter the login details to open your private website.
Place this code in the .htaccess file of your desired directory. Remember to replace 111.222.333.444 with the IP address you want to whitelist.
# password protect excluding specific ip <IfModule mod_auth.c> AuthName "Username and password required" AuthUserFile /home/path/.htpasswd AuthType Basic Require valid-user Order Deny,Allow Deny from all Allow from 111.222.333.444 Satisfy Any </IfModule>
Intend to open access to multiple IP addresses? All you need to do is add new “Allow from…” lines. Each line must take in only one IP. You’re able to add as many IP addresses to the list as you would love to.
# password protect excluding specific ips
<IfModule mod_auth.c>
AuthName "Username and password required"
AuthUserFile /home/path/.htpasswd
AuthType Basic
Require valid-user
Order Deny,Allow
Deny from all
Allow from localhost
Allow from 111.222.333.444
Allow from aaa.bbb.ccc.ddd
Satisfy Any
Password Protect Directories from Specific IPs Using .httaccess File
Some bots might try to hack your site via brute force attacks. They will guess and keep entering usernames and passwords to unlock your site. To prevent this, we recommend you to block malicious IP addresses from accessing your directory.
Enter this code to your .htaccess file to secure your site from specific IP addresses:
# password protect only for specified ips <IfModule mod_auth.c> AuthName "Username and password required" AuthUserFile /home/path/.htpasswd AuthType Basic Require valid-user Order Allow,Deny Allow from all Deny from 111.222.333.444 Deny from aaa.bbb.ccc.ddd Satisfy Any </IfModule>
Similar to the former solution, you can block as many necessary IP addresses as you want. Wish to restrict people from certain areas? Simply shorten the IP address. For example, access from all those whose IP addresses starting with 111.222. will be denied.
# password protect only for specified ips <IfModule mod_auth.c> AuthName "Username and password required" AuthUserFile /home/path/.htpasswd AuthType Basic Require valid-user Order Allow,Deny Allow from all Deny from 111.222 Satisfy Any </IfModule>
Password Protect WordPress Files Using .Htaccess
Simply add this code to your .htaccess file to secure a WordPress file with a password.
# password protect single file <IfModule mod_auth.c> <Files "protected.html"> AuthName "Username and password required" AuthUserFile /home/path/.htpasswd Require valid-user AuthType Basic </Files> </IfModule>
You should replace the “protected.html” in the second line with the true file name. This file will become public only when users enter the proper username and password.
Password protect multiple files
In case you have multiple files to protect at the same time, add the following code to your .htaccess file:
# password protect mulitple files <IfModule mod_auth.c> <FilesMatch "(protected\.html)|(passwords\.txt)"> AuthName "Username and password required" AuthUserFile /home/path/.htpasswd Require valid-user AuthType Basic </FilesMatch> </IfModule>
Private files in this example include protected\.html and passwords\.txt which belong to 2 different file types. It’s even easier for you to password protect all files of one or various file types.
# password protect mulitple file types <IfModule mod_auth.c> <FilesMatch "\.(inc|txt|log|dat|zip|rar)$"> AuthName "Username and password required" AuthUserFile /home/path/.htpasswd Require valid-user AuthType Basic </FilesMatch> </IfModule> Password protect your WordPress directory, pages, and files
Lock WordPress Site Content with PPWP Pro Plugin
Although you can assign passwords to your content files and folders in the root directory, it’s always recommended to use the PPWP Pro plugin to simplify the process.
The plugin proves a clear-cut winner in securing your pages, posts, custom post type, or the entire site. It takes you only a few clicks to lock the content and frees you from coding. Once protected, users must enter the correct password to view them.
You have the ability to generate unlimited passwords for your private content, both manually and automatically. Each user will use one password to unlock the content.
Password Protect WordPress Directory, Pages, and Files
While the wp-admin panel is already protected and requires users to log in, you can add an additional security layer and manage your web content on a server.
You can create .htaccess and .htpasswd files then add some code there to password protect your directories, pages, and files. Want to simplify the process with better UI? Secure your entire site, pages, and posts, or downloadable files with passwords using Password Protect WordPress (PPWP) Pro plugin. Users don’t have to enter usernames or log in.
Learn how PPWP Pro restricts access to your entire WordPress sites, certain pages, posts, and files here!