Password-protecting an entire WordPress site

Published 22 Sep 2014 in Browsers, Security, WordPress by ZigPress

It’s quite a common scenario – you’ve developed a great WordPress site, and you need to show it to your client, but you don’t want the rest of the world (or even worse, a search engine) seeing it, not until your client has approved it for launch.

Well, if your site is running on an Apache server, you’re in luck. There’s a very easy method which will insist on a username and password being entered as soon as someone browses to the site, no matter whether any pages are set up as password protected by WordPress. In other words, once your client enters the correct details, they can use the site normally, just as if it was already launched.

Every WordPress site has an .htaccess file at its root level, and by adding a couple of lines to this file and creating an additional file called .htpasswd, we can accomplish what we need.

1. Create .htpasswd file

Firstly, we create the .htpasswd file. This file will contain the username and password combination that is required to access the site, and it should be stored outside the web path if possible. For example, when I FTP into one of my sites, I see a ‘public_html’ folder. If I store the .htpasswd file alongside this folder (not inside it), then it will be outside the web path and therefore completely inaccessible by a browser.

So, create a text file and save it on your desktop as htpasswd.txt (if you’re on a Mac or Linux system and you name it .htpasswd straight away, it will be a hidden file so you’ll have trouble editing it).

Now, we need to add a username and encrypted password to the file. We can encrypt the password using a free online service at Using that link, choose a username and password, and let the page encrypt the password for you. It will give you a line of characters which you should copy and then paste into your new htpasswd.txt file.

I chose the username bumble and the password beehive, and this is what I got:


When your htpasswd.txt file contains your line of text, save it and upload it into your webspace, in the location you determined earlier (in my case, at the FTP root folder, alongside the public_html file). Once it is uploaded, use your FTP program to rename it to .htpasswd .

2. Work out .htpasswd path

Now, we need to know what the absolute file path to the .htpasswd file is, because we have to enter that in the .htaccess file. The easiest way to do this is by using the phpinfo() function.

Create a file called info.php and insert the php function phpinfo(); into it. Upload this to your site’s root folder (in the same folder as your wp-config.php file) and run it in your browser.

Near the end of the phpinfo() output, there’s a purple table headed “PHP Variables”. In this table there will be an entry for _SERVER[“DOCUMENT_ROOT”]. Mine looked like:


Based on this entry, I can see that the correct path for my .htpasswd file will be:


because it is one folder up from the site’s root folder.

Once you have noted down the path, delete the info.php file from your webspace because it can tell hackers a lot about your system and is therefore a security risk.

3. Amend .htaccess file

The .htaccess file in the root folder of your WordPress site will look something like this:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

You need to add the following lines to the end of the file, after the # END WordPress line:

AuthType Basic
AuthName "Restricted Area"
AuthUserFile /var/sites/
require valid-user

The text inside the quotes is the message you will be shown so feel free to customise it a bit. Please note that the quotes must be standard double quotes, not the nice opening and closing quotes that WordPress sometimes overrides them with.

The AuthUserFile path is the path to the .htpasswd file that you determined earlier. Don’t just use mine!

When you’ve saved the updated .htaccess file, try things out by trying to browse to your site. You should find that your browser pops up a message box asking for username and password. If not, please go through each step of this article again and check your work.

NOTE: To remove the password protection, first remove the lines that you added to .htaccess, and then delete the .htpasswd file.


  1. On 28 Sep 2014 at 18:08, Andrew said:

    Great tweak. I will try this. Thanks for the share mate!


  2. On 12 Oct 2014 at 11:16, Faraaz said:

    thanks a lot for the article..! :)

  3. On 21 Oct 2014 at 05:59, Matt said:

    Thank you, worked great!

  4. On 26 Oct 2014 at 05:13, Sites de compras said:

    Thanks, I was looking for this information!

  5. On 05 Nov 2014 at 15:27, Keri Rice said:

    Wow cool stuff. Thanks for sharing. Definitely trying this out.

  6. On 07 Dec 2014 at 10:41, Cetak Baju said:

    Just the right time! Thanks a lot for the great info.

  7. On 29 Dec 2014 at 06:29, Brenda Hayes said:

    Thanks a lot for this post it’s very informative, useful and helpful.

  8. On 22 Aug 2018 at 21:32, Michael said:

    How would you go about securing just the wp-login.php file?

  9. On 25 Sep 2018 at 18:54, Raquel said:

    This was really helpful! Thanks!

  10. On 01 Nov 2018 at 18:09, ZigPress said:

    Michael, you could use the WPS Hide Login plugin for that.

Add a Comment

If you have used this form and would like a copy of the information held about you on this website, or would like the information deleted, please email [email protected].