How to Password Protect an Entire Directory on Your WordPress Site

WordPress allows for password protection on a page or post level using the Visibility option. (see screen print on right), but what if you want to password protect the entire website so that only those with a password can gain access? This tutorial will show you how to password protect your entire site (or a certain folder or directory of your site) by modifying your .htaccess file and creating a .htpasswd file.Your

Steps to Protecting a Directory or Folder with a Password

Modify your .htaccess file

Your .htaccess file can be found and downloaded locally using an FTP tool, such as Filezilla. Using a plain text editor like Notepad, add the following contents to your .htaccess file:

AuthName "Members Area"
AuthType Basic
AuthUserFile /path/to/your/directory/.htpasswd
require valid-user

Note that you will have to modify the above according to your situation. In particular, change:


Change “Members Area” to any name that you like. This name will be displayed when the browser prompts for a password. I personally like to use “Authorization Required”, but any name will do.


You do not have to modify this line. Just copy it verbatim to your file.


The “AuthUserFile” line tells the Apache web server where it can locate the .htpasswd password file.

Ideally, the password file should be placed outside any directory accessible by visitors to your website. For example, if the main page of your web site is physically located in “/home/your-account-name/public-html/“, place your .htpasswd file in (say) /home/your-account-name/.htpasswd. That way, on the off-chance that your host misconfigures your server, your visitors cannot view the .htpasswd contents by simply typing

Wherever you decide to place the file, put the full path of that file after “AuthUserFile”. For example, if the directory where you placed the file is /home/your-account-name/.htpasswd, modify that line to “AuthUserFile /home/your-account-name/.htpasswd“. Note that your password file need not be named .htpasswd either. It can be any name you wish. For ease of reference, however, this tutorial will assume that you chose “.htpasswd“.


The line “require valid-user” means that any user specified in your .htpasswd (ie, password) file will be able to access that directory. (You will be creating the password file later in this article.)

If your password file contains many users, but you only want a specific user to be able to access this directory, change the “require valid-user” to:

require user sally

You should of course replace sally with the user name of the person to whom you want to give access. You can even add multiple names to that line:

require user sally mary bill tom

In the above case, the four users listed after require user will be allowed access to that directory. Notice that even when you list multiple names, the directive to use is require user. Do not use the plural form of user.

Also note that you will need to be sure your file manager or finder is able to see system files that begin with a dot (.). By default these may be hidden. Doing a Google search for “how to see hidden files” will provide several ways to make them visible which is critical in order to complete this set up.

Save and Upload the .htaccess file

Save the .htaccess file. If you are using Notepad, be sure to save the file as ".htaccess", including the quotes, otherwise your text editor will change the name to “.htaccess.txt” behind your back. You DO NOT want .txt suffix as part of the name or it will not work. Then upload the .htaccess file to the directory that you want to protect.

Create the Password File .htpasswd

There are a couple of ways to create a password file. One way is to use SSH or shell access and server prompts. Another is to create the file using a plain text editor and an encoding tool. This tutorial will focus on the latter.

You will need to identify a user name and password, and these pairings will need to be encrypted. There is an online tool that may be used for this purpose. Find it here: Fill in the form with your user name and password, select Bcrypt for Mode, then press “Create .htpasswd file”.




The output will look something like this:


Open a new plain text document and paste the encrypted user name and password into it. Be sure to save the file as ".htpasswd", including the quotes, otherwise Notepad will change the name to “.htpasswd.txt” behind your back. Upload the file to the appropriate directory as specified in your .htaccess file.

Testing Your Setup

Once you have completed the above, you should test your set up using your browser to make sure that everything works as intended. Go to your protected directory via your web browser to view it. You should be greeted with a prompt for your user name and password. If you have set everything up correctly, when you enter that information, you should be able to view the files in that directory.

A Word of Caution

You should note a few things though, before you go crazy password protecting directories that give the illusion that they can safeguard your data:

  1. The password protection only guards access through the web. You can still freely access your directories from your FTP tool and shell account.
  2. It protects directories and not files. Once a user is authenticated for that folder, he/she can view any file in that directory and its descendants.
  3. Passwords and user names are transmitted in the clear by the browser, and so are vulnerable to being intercepted by others. To address this problem, you should convert your website to HTTPS.
  4. You should not use this password protection facility for anything serious, like guarding your customer’s data, credit card information or any other valuable information. It is basically only good for things like keeping out search engine bots and casual visitors.

Comments are closed.