WordPress allows for password protection on a page or post level using the Visibility option. (see screen print on right), but what if you want to password protect the entire website so that only those with a password can gain access? This tutorial will show you how to password protect your entire site (or a certain folder or directory of your site) by modifying your .htaccess file and creating a .htpasswd file.Your
Steps to Protecting a Directory or Folder with a Password
Modify your .htaccess file
Your .htaccess file can be found and downloaded locally using an FTP tool, such as Filezilla. Using a plain text editor like Notepad, add the following contents to your .htaccess file:
AuthName "Members Area"
AuthType Basic
AuthUserFile /path/to/your/directory/.htpasswd
require valid-user
Note that you will have to modify the above according to your situation. In particular, change:
AuthName
Change “Members Area” to any name that you like. This name will be displayed when the browser prompts for a password. I personally like to use “Authorization Required”, but any name will do.
AuthType
You do not have to modify this line. Just copy it verbatim to your file.
AuthUserFile
The “AuthUserFile” line tells the Apache web server where it can locate the .htpasswd password file.
Ideally, the password file should be placed outside any directory accessible by visitors to your website. For example, if the main page of your web site is physically located in “/home/your-account-name/public-html/
“, place your .htpasswd
file in (say) /home/your-account-name/.htpasswd
. That way, on the off-chance that your host misconfigures your server, your visitors cannot view the .htpasswd
contents by simply typing https://www.example.com/.htpasswd
.
Wherever you decide to place the file, put the full path of that file after “AuthUserFile”. For example, if the directory where you placed the file is /home/your-account-name/.htpasswd
, modify that line to “AuthUserFile /home/your-account-name/.htpasswd
“. Note that your password file need not be named .htpasswd
either. It can be any name you wish. For ease of reference, however, this tutorial will assume that you chose “.htpasswd
“.
require
The line “require valid-user
” means that any user specified in your .htpasswd
(ie, password) file will be able to access that directory. (You will be creating the password file later in this article.)
If your password file contains many users, but you only want a specific user to be able to access this directory, change the “require valid-user
” to:
You should of course replace sally
with the user name of the person to whom you want to give access. You can even add multiple names to that line:
In the above case, the four users listed after require user
will be allowed access to that directory. Notice that even when you list multiple names, the directive to use is require user
. Do not use the plural form of user
.
Also note that you will need to be sure your file manager or finder is able to see system files that begin with a dot (.). By default these may be hidden. Doing a Google search for “how to see hidden files” will provide several ways to make them visible which is critical in order to complete this set up.
Save and Upload the .htaccess file
Save the .htaccess
file. If you are using Notepad, be sure to save the file as ".htaccess"
, including the quotes, otherwise your text editor will change the name to “.htaccess.txt
” behind your back. You DO NOT want .txt suffix as part of the name or it will not work. Then upload the .htaccess file to the directory that you want to protect.
Create the Password File .htpasswd
There are a couple of ways to create a password file. One way is to use SSH or shell access and server prompts. Another is to create the file using a plain text editor and an encoding tool. This tutorial will focus on the latter.
You will need to identify a user name and password, and these pairings will need to be encrypted. There is an online tool that may be used for this purpose. Find it here: https://www.htaccesstools.com/htpasswd-generator/ Fill in the form with your user name and password, select Bcrypt for Mode, then press “Create .htpasswd file”.
The output will look something like this:
Username:$2y$10$q/8DK1yyUpNkumEwMhu0nOXOATUxdRMtJ5uqzhsV595h/3iehcJ7O
Open a new plain text document and paste the encrypted user name and password into it. Be sure to save the file as ".htpasswd"
, including the quotes, otherwise Notepad will change the name to “.htpasswd.txt
” behind your back. Upload the file to the appropriate directory as specified in your .htaccess file.
Testing Your Setup
Once you have completed the above, you should test your set up using your browser to make sure that everything works as intended. Go to your protected directory via your web browser to view it. You should be greeted with a prompt for your user name and password. If you have set everything up correctly, when you enter that information, you should be able to view the files in that directory.
A Word of Caution
You should note a few things though, before you go crazy password protecting directories that give the illusion that they can safeguard your data:
- The password protection only guards access through the web. You can still freely access your directories from your FTP tool and shell account.
- It protects directories and not files. Once a user is authenticated for that folder, he/she can view any file in that directory and its descendants.
- Passwords and user names are transmitted in the clear by the browser, and so are vulnerable to being intercepted by others. To address this problem, you should convert your website to HTTPS.
- You should not use this password protection facility for anything serious, like guarding your customer’s data, credit card information or any other valuable information. It is basically only good for things like keeping out search engine bots and casual visitors.