TaylorLovett

Password Protecting Directories in WordPress Tutorial

July 2, 2010 by Taylor Lovett

Today I wanted to password protect a directory on my website. I needed a web directory to be 100% secure and the only way to do that is using an .htaccess file. However, since WordPress already has an htaccess file on my site, doing this became a tricky project. After following other .htacess password protection tutorials on the net, WordPress would give me a 404 error when I browsed to the protected folder. It took me a few hours to figure out how to fix get around this. Here is a tutorial for password protecting directories in WordPress.

1. In the folder you want to protect, create a .htaccess file; I created a directory called password/ and placed my .htaccess file in password/.htaccess. Some operating systems don’t let you name a file called .htaccess. One way to get around this is to create a file named htaccess.txt, upload it to your site, then rename it to .htaccess. We will edit this file later in the tutorial

2. Create a file named .htpasswd and upload it to your site. This file contains the username and password that the you will need to enter in order to access you password protected folder. I recommend putting this folder in a location that is not web accessible. For most hosts your web accessible files are stored in the www/ or htdocs/ folder. If you put this file below those folders it will be 100% safe. Again, we will edit this file later in the tutorial.

3. Put this code in your .htaccess file:

AuthUserFile /home/.htpasswd
AuthType Basic
AuthName "My Password Protected Folder"
require user USERNAME

4. The bolded parts of the code are what you will have to change. Replace USERNAME with the username you will use, for this tutorial my username will be taylor. Replace /home/.htpasswd with the absolute path to your .htpasswd file. My web files are stored in /home/www/ so by placing my .htpasswd file in the /home/ folder, it makes it impossible to view with a web browser. Make sure you replace /home/.htpasswd with an absolute path and not a url like http://www.taylorlovett.com/.htpasswd.

5. Put this code in your .htpasswd file

USERNAME:ENCRYPTED PASSWORD

6. Replace USERNAME with your username, I am using taylor for this tutorial. Replace ENCRYPTED PASSWORD with an encrypted password. There are many .htpasswd generators you can use on the web. My .htpasswd file looks like this:

taylor:zG/hsmO/lXxnM

7. The last steps of this tutorial are what makes everything work along side your WordPress installation; which is why other .htaccess password protection tutorials on the internet don’t work if you’re running WordPress. Open the .htaccess file in the base directory of your WordPress installation. On my site WordPress is installed in the root, so I opened the file located at http://www.taylorlovett.com/.htaccess

At the very top of the file add the following code (make sure you add this before # BEGIN WordPress:

ErrorDocument 401 /401.html

So your .htaccess file should look something like this:

ErrorDocument 401 /401.html
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

8. Finally, create a file in the root of your site called 401.html. You can leave the file blank if you want. Now everything should be working smoothly!

There are 2 comment(s) on "Password Protecting Directories in WordPress Tutorial"

  1. Hi Taylor,

    Great post, I was wondering if you know how to create multiple passwords that will work to access a single directory?

    Thank you,
    Ben

  2. Thank you!! This is the first helpful tutorial that I’ve found on htaccess and WordPress. Everything works wonderfully now :)

Leave a Comment