ppwp-password-protect-wp-directory-htaccess

How to Password Protect WordPress Directory with .htaccess

WordPress web directory password protection allows you to secure and manage your content on a web server level. Once protected, users have to log in to access your secure site content.

In this article, we will introduce what a .htaccess file is and walk you through how to use it to password protect your entire WordPress website, certain pages, as well as files. Let’s get started with the basics!

What is a .htaccess file?

The .htaccess file refers to a configuration file read by the server. It helps you handle server configuration settings. This file can be used to control cache, optimize your site, and reset permalink structure. You can also create a redirection from non-www to www URLs with the .htaccess file.

After installing your WordPress website on the Apache webserver, look for this file in your root directory. Sometimes, the .htaccess file is hidden. You need to enable the show hidden files option to view it.

Password protect your web directory by using .htaccess file

Directory password protection restricts unauthorized access to files in a directory via usernames and passwords.

Besides the .htaccess file, you’re also required to create a .htpasswd to make your directory pasword protection work properly. While the .htaccess file contains the password protection directive, the .htpasswd file contains the required username and password.

These 2 steps guide you on how to create .htaccess and .htpasswd files, and password protect a directory with them.

Step 1: Create .htaccess and .htpasswd files

Firstly, to generate a .htaccess file, you need to:

  1. Login to your hosting server
  2. Create a .htaccess file. Make sure you add this file to the directory you want to password protect.
  3. Copy this code and paste into your .htaccess file
AuthType Basic
AuthName "Protected Area"
AuthUserFile /full/path/to/.htpasswd
Require user [Username]

There are somethings in the code you should notice:

  • The line /full/path/to/.htpasswd designates the server path to the .htpasswd file
  • You should replace [Username] with your own usernames.

Here is an example:

AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /usr/local/username/safedirectory/.htpasswd
require user User1 User2 User3

Secondly, add the .htpasswd file:

  1. Create a new file on your PC and name it .htpasswd
  2. Enter the credential information in the form below
[Username]:[EncryptedPassword]

Instead of thinking up a password on your own, try an encrypted password generator to create strong random passwords effortlessly. If you want to provide multiple accounts, set each username on a new line.

User1: vC-;"5;n4Gn3Y
User2: uN8v!e%Mvet
User3: $6V3bS7ukRq_

Step 2: Upload the .htaccess and .htpasswd files to your webspace

Once creating the 2 files .htaccess and .htpasswd, you need to upload them to your /wp-admin directory to activate the password protection.

You can bypass .htaccess protection via IP addresses. In other words, users from specific IP addresses are able to access your content without having to enter usernames and passwords. Not only directory but also page and file protection are all supported.

Restrict access of everyone except a specific IP address

This method authorizes you to grant a specific IP address direct access to your directory without entering the username and password. Others not having the right IP address have to fill in the form with the correct credential information.

You may use this method to create an extranet website to communicate and share projects with clients. In case your site is underdevelopment and you want your team members such as editors or developers to view it only, this method also comes in handy. These specific people don’t have to enter the login details to open your private website.

Place this code to the .htaccess file of your desired directory. Remember to replace 111.222.333.444 with the IP address you want to whitelist.

# password protect excluding specific ip
<IfModule mod_auth.c>
AuthName "Username and password required"
AuthUserFile /home/path/.htpasswd
AuthType Basic
Require valid-user
Order Deny,Allow
Deny from all
Allow from 111.222.333.444
Satisfy Any
</IfModule>

Intend to open access to multiple IP addresses? All you need to do is add new “Allow from…” lines. Each line must take in only one IP. You’re able to add as many IP addresses to the list as you would love to.

# password protect excluding specific ips
<IfModule mod_auth.c>
AuthName "Username and password required"
AuthUserFile /home/path/.htpasswd
AuthType Basic
Require valid-user
Order Deny,Allow
Deny from all
Allow from localhost
Allow from 111.222.333.444
Allow from aaa.bbb.ccc.ddd
Satisfy Any

Password protect directories from specific IPs using .httaccess file

Some bots might try to hack your site via brute force attacks. They will guess and keep entering usernames and passwords to unlock your site. To prevent this, block malicious IP addresses from accessing your directory.

Enter this code to your .htaccess file to secure your site from specific IP address:

# password protect only for specified ips
<IfModule mod_auth.c>
AuthName "Username and password required"
AuthUserFile /home/path/.htpasswd
AuthType Basic
Require valid-user
Order Allow,Deny
Allow from all
Deny from 111.222.333.444
Deny from aaa.bbb.ccc.ddd
Satisfy Any
</IfModule>

Similar to the former solution, you can block as many necessary IP addresses as you want to. Wish to restrict people from certain areas? Simply shorten the IP address. For example, access from all those whose IP addresses starting with 111.222. will be denied.

# password protect only for specified ips
<IfModule mod_auth.c>
AuthName "Username and password required"
AuthUserFile /home/path/.htpasswd
AuthType Basic
Require valid-user
Order Allow,Deny
Allow from all
Deny from 111.222
Satisfy Any
</IfModule>

Password protect WordPress files using .htaccess

Simply add this code to your .htaccess file to secure a WordPress file with a password.

# password protect single file
<IfModule mod_auth.c>
<Files "protected.html">
AuthName "Username and password required"
AuthUserFile /home/path/.htpasswd
Require valid-user
AuthType Basic
</Files>
</IfModule>

You should replace the “protected.html” in the second line with the true file name. This file will become public only when users enter the proper username and password.

Password protect multiple files

In case you have multiple files to protect at the same time, add the following code to your .htaccess file:

# password protect mulitple files
<IfModule mod_auth.c>
<FilesMatch "(protected\.html)|(passwords\.txt)">
AuthName "Username and password required"
AuthUserFile /home/path/.htpasswd
Require valid-user
AuthType Basic
</FilesMatch>
</IfModule>

Private files in this example include protected\.html and passwords\.txt which belong to 2 different file types. It’s even simpler for you to password protect all files of one or various file types.

# password protect mulitple file types
<IfModule mod_auth.c>
<FilesMatch "\.(inc|txt|log|dat|zip|rar)$">
AuthName "Username and password required"
AuthUserFile /home/path/.htpasswd
Require valid-user
AuthType Basic
</FilesMatch>
</IfModule>
Password protect your WordPress directory, pages, and files

While the wp-admin panel is already protected and requires users to login, you can add an additional security layer and manage your web content on a server.

You can create .htaccess and .htpasswd files then add some code there to password protect your directories, pages, and files. Want to simplify the process with better UI? Secure your entire site, pages and posts, or downloadable files with passwords using Password Protect WordPress (PPWP) Pro plugin. Users don’t have to enter usernames or to login.

Learn how PPWP Pro restricts access to your entire WordPress sites, certain pages, posts, and files here!