Password Protect a WordPress site with htaccess

htpasswd authname authentication

Sometimes we want to protect our website with a username and password during the development phase or for some security reasons. The Apache web server ( that daemon that serves up your marvelous content ) allows a user to configure two files to facilitate this very purpose. Those files are .htaccess and .htpasswd.


The .htaccess file is a simple text file placed in the directory you want the contents of the file to affect. The rules and configuration directives in the .htaccess file will be enforced on whatever directory it is in and all sub-directories as well. In order to password protect content, there are a few directives like in the .htaccess file ( the AuthUserFile directive ) tells the Apache web server where to look to find the username/password pairs.


The .htpasswd file is the second part of the authentication. The .htpasswd file is also a simple text file. The name of the file is given in the .htaccess configuration, and can be anything although “.htpasswd” is the canonical name. The file name starts with a dot, because most Unix-like operating systems consider any file that begins with dot to be hidden. Instead of directives, the .htpasswd file consists of rows, each row corresponding to a username, followed by a colon, followed by a string containing the hashed password. The password will be stored in encrypted form and the username will be in plaintext. There can be multiple pairs of username and password in the .htpasswd file. Each username and password in .htpasswd file should be in separate lines.

The .htaccess file can be created using a text editor like on a *nix machine vi and pico can be used. The file could even be created in Windows with an ASCII text editor like Notepad and then uploaded using FTP or some similar mechanism.

Htpasswd file can be used to protect the entire directory it is placed in, as well as particular files. You will want to put the .htaccess file in the directory you wish to protect. Remember that all sub-directories will be protected as well. Below code represents a very simple default wordpress format for an .htaccess file with added authentication to protect the site. Use the following as a template for your .htaccess file to protect the wordpress site or any other site and review the directives below for more information and specific changes.

Update the wordpress .htaccess file

.htaccess file is generated by default after you install wordpress on your website. Open this .htaccess file in your favourite command line editor like vim with command vim .htaccess

Add the following authentication code at the end of the .htacess file

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
AuthType Basic
AuthName "restricted area"
#You must supply the complete path to your password file, not the relative path from DocumentRoot.
AuthUserFile /home/YOURUSERNAME/public_html/
require valid-user 
# END WordPress 

Please make sure to pass the absolute path of your .htpasswd file.

Create a new password file

Copy the .htaccess file at root of your wordpress installation and rename it as .htpasswd

You would need to generate the .htpasswd file credentils username and password using a tool like

Your generated user authentication will be username and password separated by a colon like


Leave a Reply

Your email address will not be published. Required fields are marked *