Wordpress Security

How to Password Protect A WordPress Site/Post – Easy Ways

WordPress Password Protection

WordPress is the most popular content management system in the world that gave exposure to millions of blogging websites. One of the simplest and reliable platform to start up your business with. But WordPress security is a major concern for all business owners nowadays. 

Around 90,000 hack attempts are made every day on WordPress websites which is a huge count. Whether a smart hacker or a bad player is trying to take over the complete access on your website, there are several methods to break into a WordPress site.

Here’s what you can do about adding password protection to your site. (1) Password protect your entire site, (2) password protect a specific post or page, (3) hide part of a post that would otherwise be public.

In this guide, you will learn everything about How to Password Protect A WordPress Site? protect WordPress page with a password? How to protect it from unauthorized access & prevent WordPress Hacking. We will see how to protect WordPress with a password so that the platform is 100% private

Why protect WordPress with a password?

There are multiple reasons why protecting WordPress with a password is a good idea. For example, imagine that instead of making changes to a local server or a development server, for convenience, you want to implement them in the final hosting of the website.

So that visitors who can access do not see the web in production, you can choose to protect it with a password so that only you can enter.

Or for example, imagine that your website belongs to a private club, and you only want the content of the website to be shown to those who have a password provided by the administrator of the same. For this, we would also need to protect WordPress with a password.

These are only two cases, but there are a thousand more reasons:

  • Private stores,
  • Maintenance reasons,
  • falls due to hacking the web and so on.

In this tutorial, we will show you how to protect your WordPress with a password so that only you can access it.

Suggested ReadingWordPress Passwordless Authentication – Login Form & Plugins

Password Protect a WordPress Page

You can password protect a WordPress page so that the general public cannot see it. This will prevent most Internet users from easily finding it or viewing its content.

However, this method does not prevent the page from being indexed by search engines. It also does not encrypt the content of the page. Therefore, you should not use this method for page content that you absolutely must keep private.

To password protect a WordPress page, follow these steps:

  • Log in to WordPress as an administrator.
  • Under Dashboard, click Posts, then click Add New.
  • Write your message.
  • Under Publish, next to Visibility, click Edit. The visibility options for the post are displayed.
  • Click Password Protect.
  • In the Password text box, type a password.
  • Click OK, then click Publish. Now when visitors navigate to the page URL, they must enter the correct password to view its content.

Also ReadHow to Block Countries In WordPress Using IP Address?

How to password protect WordPress site with htpasswd

With Basic HTTP authentication (aka htpasswd protection), you can add an extra layer of password protection before people can even load your site, which is why it’s a great option for web sites. development. or development sites.

To set up htpasswd protection, create a file with the name in any text editor .htpasswd and store it in the directory that is to be protected or contains the file to be protected. In the  .htpasswdfile you enter the username and password in encrypted form (md5, sha1 or crypt). It is best to use a generator to generate this coded password.

For example, if the user named mysite the .htpasswdfile looks like this:

mysite:$apr1$MvhtEwWO$.Ro5NOQNw9tAtZns8UOl20

Once activated, your WordPress site will require authentication to access it. You can change the credentials at any time or turn them off when you no longer need them.

Also Read12 Best WordPress Staging Plugins To Create A Test Site [2024]

How to Password Protect a WP Directory

  • If you need a simple post or a password protected page, you can take advantage of the built-in WP functionality. You don’t need any plugin for this.
  • Go to the post or page for which you want to enable a password.
  • In the publish section, click Edit next to visibility: Public
  • Select Password protected and enter the password.

  • Click OK and you are ready to go!

cPanel

If you are on shared hosting, then you will probably have cPanel. The good news is that cPanel offers a utility called Directory Privacy; from there you can set a password for the directory.

Also Read: What Is WP-Content Uploads & How To Protect WordPress Directory ?

Log into cPanel

  • Find the confidentiality of the directory
  • Select the folder you want to protect. From there select a folder called given username, which is under public_html
  • Create the user who must be authorized and save
  • When finished you will notice that the folder has a lock
  • And that’s all. The directory is now password protected.

Configure Nginx password authentication

Now that we have a file with our users and passwords in an Nginx readable format, we need to configure Nginx to verify this file before delivering our protected content.

First, open the server block configuration file to which you want to add a restriction. For our example, we’ll use the server blocking file + defaultinstalled through the Ubuntu Nginx package:

sudo nano /etc/nginx/sites-enabled/

Inside, with the comments stripped down, the file should look like this:

/ etc / nginx / sites-enabled / default

server

{

   listen 80 default_server;

   listen [::]:80 default_server ipv6only=on;

   root /usr/share/nginx/html;

   index index.html index.htm;

   server_name localhost;

   location / {

       try_files $uri $uri/ =404;

   }

}

To configure authentication, you must choose the context to restrict. Among other choices, Nginx allows you to set restrictions at the server level or at a specific location. In our example, we’ll restrict the entire document root to a location block, but you can modify this list to only target a specific directory in the web space:

In this location block, use the directive + auth_basic +to enable authentication and choose a domain name to display to the user when requesting credentials. We will use the directive + auth_basic_user_file +to point Nginx to the password file we created:

/ etc / nginx / sites-enabled / default

server {

   listen 80 default_server;

   listen [::]:80 default_server ipv6only=on;

   root /usr/share/nginx/html;

   index index.html index.htm;

   server_name localhost;

   location / {

       try_files $uri $uri/ =404;

   }

}

Save and close the file when you are finished. Restart Nginx to implement your password policy:

sudo service nginx restart

The directory you specified should now be password protected.

Also ReadWhitelist IP Address in WordPress To Restrict Login Access

Password Protect WordPress Files In Apache

Protecting folders or files accessible via HTTP with a password allows adding a layer of security on a web server. It can be done using any content manager such as WordPress or Drupal in a trivial way, however doing it directly using the web server, Apache, in this case, avoids running PHP and saves hardware resources. This is especially useful if you are trying to avoid a brute force attack.

To protect files or directories under password in Apache it can be done in Apache global configuration files or using htaccess and htpasswd files. The second way is discouraged for performance and security reasons, so the first way is explained here on an Apache 2.4 web server running on Debian Jessie.

The first way requires access to the Apache configuration files.

REQUIRED MODULES

In this case, access will be configured through a username and password, and these will be saved in a plain text file. For this we need the following Apache modules to be active:

mod_auth_basic

authn_file

mod_authz_user

authn_core_module

authz_core_module

In the Apache documentation, there is a description of the necessary modules if you want to enable access by hostname or IP or host the passwords in another way.

To check that the modules are active you can run:

  • apache2ctl -M
  • If one needs to be activated:
  • a2enmod nombre_del_modulo

Nginx

Let’s implement Basic Authentication in Nginx as follows.

We will take help from Apache Utils to generate the credentials. If Apache HTTP is not installed on the server, you need to install the utils separately as below. If in doubt, you can run htpasswd to see if it works.

CentOS / RHEL 8

dnf install httpd-tools

CentOS / RHEL 7

yum install httpd-tools

Ubuntu

apt-get install apache2-utils

Let’s create the credentials like we did in Apache.

htpasswd -c /etc/nginx/.htpasswd user1

Don’t forget to replace user1 with the real username you want

Next, we need to configure Nginx, so that it limits the particular URI with the password.

Suppose we need to protect /adminURIs

Add the following in nginx.confor any other active Nginx config file

location /admin {

auth_basic “Admin Area”;

auth_basic_user_file /etc/nginx/.htpasswd;

}

Restart Nginx

What if you need to restrict the serving of the entire website through Nginx?

Easy!

Add the following in nginx.conf or in the active config file under location / {directive

auth_basic “Admin Area”;

auth_basic_user_file /etc/nginx/.htpasswd;

Password protect WordPress post without Plugins

A functionality that often goes unnoticed in WordPress is the publication of password-protected posts or pages that can only be read by users who have this “master” key to consult it.

This option was integrated some time ago and since then surely many WordPress site administrators use it and for many others, it goes unnoticed and they resort to plugins, increasing the site load.

Applying passwords to posts and posts is a very simple process that will hardly take you more than a couple of seconds when you write the post or later, and that can be a solution for blogs or news websites that build customer loyalty through more publications. exclusive.

Add a password to a post or page:
  • Access the WordPress dashboard.
  • Edit an existing post or page or create a new one.
  • In the right widget box Publish you will find several options.
  • Click Visibility.
  • By default, it is shown in Public.
  • Click Edit.
  • Check the Password Protected selector.
  • Click OK (just below that selector).
  • Click Update to save the changes.

After protecting a post with a password, what the reader will see when accessing to read it will be a warning and a field in which to write the password if he has one.

Plugins To Password protect a section of WordPress post

There are plugins that will help you password protect only a particular section of a post. Here is a popular plugin that will help you deal with that.

Passster – Password protection Plugin

Finally, we will look at one of the easiest ways to password protect just a portion of an otherwise-public WordPress post. To set up this functionality, you can use the free Passster plugin . If you’re looking for options to partially protect your content, look no further. This plugin helps you protect parts of your WordPress posts using passwords and CAPTCHA. It is useful to generate shortcodes in which you can embed the content to be protected. For each shortcode, you can customize the title, instructional text, placeholder, and button text. The Passster plugin supports some of the popular page builder plugins like Elementor, Beaver Builder, etc.

Password protect WordPress Categories Plugins

The default option to password protect WordPress content can come in handy when your site’s content is minimal. However, it can get pretty painful if your site has a lot of content. In such a scenario, the password protecting a category will be more effective. All positions in this category will have selective access in this way. Let’s see how you can password protect WordPress categories.

Access category password

This is a simple password that will help you restrict user access to posts based on the categories they are included in. The plug-in allows you to specify the categories to be restricted and set a password. When users try to access the content or snippet, the plug-in asks for a form asking for the password. You can also set the text for the description of the feeds generated by WordPress.

In addition, the plugin allows you to give access to certain users without entering the password. You can also set a message informing users to use the password to access the content. You can also configure a message when users enter the wrong keyword. In addition, you can define whether the snippet of the content should be displayed or not. 

The plugin is relatively more secure because it uses PHP sessions instead of cookies to validate logged in users. In addition, the plug-in encrypts the password and filters the content of the normal stream to avoid displaying restricted content.

<h3>How to password protect your entire WordPress site</h3>

There is no default option on WordPress to protect the entire site with a password. You will need to use a third-party plugin to manage this on your site.

Now let’s take a look at two popular plugins that you can use to password-protect the entire WordPress site.

Form Locker

Used to Password Protect WordPress forms

Form Locker addon wordpress plugin allows you to password protect your forms. This is ideal if you want to run a private survey, or restrict access to your contact form to only specific people.

How does it work?

When a user tries to access one of your protected forms, they will be prompted for a password before the form is displayed:

Schedule Your Form

You can also schedule when you would like your form to be accessible. For instance, you can make it so that the form is only available on a certain date and time:

Limit Submissions by IP Address

Make it so that each person can fill out the form one time. This option will limit submissions by IP address, which means that each person can only submit the form once unless they use a different computer or device.

Set Entry Limit

You can choose to limit the total number of entries you receive. For example, if you are running a giveaway and want to limit entries to 10 people:

Restrict Access by User Role

Restrict your forms so that they are only available to members (members-only site). You can choose which user roles have access:

Password protected WordPress Plugin

Type the name of the plugin (which as we have indicated is “Password Protected”) and press ENTER to start the search. If you have followed the steps to the letter, this plugin should appear as the first search result. Install it and activate it to be able to use it.

Once activated go to Settings >> Password protected to configure the plugin settings.

Once inside you will see that you have multiple options such as:

  • Activated: Indicates if we want to protect WordPress with a password or not
  • Protected permissions: Ideal to exclude administrator users, registered users, or reading by RSS.
  • New password: Here you will have to define the password by which you want to enter your WordPress from now on
  • Allowed IP addresses: Exclusions, but this time by IP.

If you have activated the “Activated” option, have provided a password and have pressed the Save changes button, when visiting the public part of your website, you will see a text box appear to insert a password.

This plugin offers a simple option to protect your entire WordPress site using a single password. It offers a login page similar to the WordPress login. So your users can enter the password and access the content on your site.

Please note that this plugin only protects the content generated by WordPress. This means that your image files can be accessed through the direct URL.

The plugin allows you to offer selective access to RSS feeds. Likewise, you can let site administrators access content without having to enter the password. In addition, you can also specify the IP addresses that you want to allow access without a password.

The plugin is quite easy to use and can be a simple solution to protect your WordPress site and allow selective access to it.

Password protect wp-admin using HTTP Authentication

HTTP Authentication is a technique that restricts access to your WordPress admin directory through an extra layer of protection. This means anyone who wants to access the login page has to pass through the http authentication. But how? In this article, we will tell you how to password protect your wp-admin with HTTP authentication.

For the security of your WordPress site with http authentication, firstly you must generate a .htpasswd file. And then you’ll need to provide the location of the .htpasswd file to the .htaccess file of your website. It will lock down your login page.

Detailed articlehow to setup two-factor authentication in WordPress?

Commonly, you will find password protected wp-admin login that might be giving you a sigh of relief. But do you know there is a hack called Brute Force Attack which uses bots in order to try and guess your login credentials which is why you must protect your WordPress login page with an additional layer of security?

Creating .htpasswd file:

This file will contain the username and passwords for all the authorized users of your wp-admin directory. In order to create a new .htpasswd file, you have to give the following command:

htpasswd -c .htpasswd Harini

Open the command-line tool on your system and type the aforementioned command in the command line. In this command, c stands for creating and Harini stands for the username which you will choose. When you will hit enter, you’ll be prompted to create a password that should be unique to this username. Your password will be encrypted. This .htaccess file is essentially your HTTP Basic Authentication credentials.

htaccess password generator

If you are unable to create this file, you can also use a .htpasswd generator.  Here are some tools that can be used to generate htaccess password file:

  1. Htpasswd Generator
  2. Web 2.0 Generators
  3. Dynamic Drive
  4. https://httpd.apache.org/docs/2.4/programs/htpasswd.html
  5. aspirine.org/htpasswd_en.html
  6. https://www.askapache.com/online-tools/htpasswd-generator/

While using .htpasswd generator, you have to add the username and password of your choice. It also allows you to generate a random password. Once done, hit the “Generate .htpasswd file” button. Thus, your file will be created in a few minutes.

Password protect WordPress with htaccess

This is the most important file of your WordPress site. It gives you access to the HTTP Basic Authentication credentials and thus, help you restrict the access for specified persons. It is generally found in the public_html folder. In order to find it, follow these steps:

  1. Log in to your web host account and go to cPanel.
  2. Select the File Manager option in your cPanel.
  3. A window will open where you can easily find this file.

  1. If still, you are unable to find the file, go back to cPanel.  Click on the File Manager.
  2. A popup will appear on your screen. Here you need to check the [‘Show Hidden Files’ option.

  1. Press the button ‘GO’.
  2. When you will be able to view the file, open it and add the following piece of code:

<Files wp-login.php>

AuthUserFile /path/to/.htpasswd

AuthName "Private access"

AuthType Basic

require valid-user

</Files>

AuthUserFile /path/to/.htpasswd  Make sure you provide the  correct path to your .htpasswd file in place of ‘/path/to/.htpasswd’

require valid-user: The ‘valid-user’ keyword tells Apache to provide the access to the wp-login.php file to the users mentioned in the .htpasswd file In case you want to grant access to selective persons then simply mention the usernames you’ll like to provide access to in place of ‘valid-user’.

For instance – there are five persons with the access to .htaccess file, out of which you only want user01 to have permissions, then you will type as:

Require user user01

Once you are done, save the file and upload it to the wp-admin directory. Next time, when anyone who tries to access http://[yourdomain.com]/wp-admin, or try to login to the WordPress dashboard, they will find the browser prompting for authentication even before the admin-login screen is loaded. That means they have to first authenticate with the Apache webserver before accessing the WordPress dashboard login page. 

To set up basic authentication over HTTPS is very easy to implement but yet there may arise an HTTP 500 error in WordPress while trying to login. This might be due to the reason that some WordPress plugins use Ajax functionality. Such plugins might need access to the file ‘admin-ajax.php’ which is found in the wp-admin directory.

In order to allow access to such file for the WordPress plugins to function, add the below-mentioned code to the .htaccess file:

<Files admin-ajax.php>
     Order allow,deny
     Allow from all
     Satisfy any
 </Files>

While you implement this HTTP Authentication, it is also important to keep updating WordPress to the latest update and keep updating all the WordPress plugins and themes. Keeping WordPress up-to-date is an important step in increasing security of your wordpress site

Further Reading:

Protect wp-config.php

The most important file in any WordPress installation is the wp-config.php file. This file stores all database connection settings, including the database name, username, and password to access your database. This file also stores additional databases, security, and other advanced settings. Thus, it is essential to restrict unauthorized access to the file.

WordPress security can be strengthened by changing some basic configuration settings. Here is the code which you need to add in your .htaccess file.

12

3

4

<files wp-config.php>order allow,deny

deny from all

</files>

Limit Access to WordPress Admin Panel

If there is an unauthorized attempt by hackers to break into your admin panel, you can provide admin access to specific IP’s only. Create another .htaccess file by pasting the snippet below and upload it to “www.yourwebsite.com/wp-admin/” folder.

234

5

6

# Limit logins and admin by IP<Limit GET POST PUT>

order deny, allow

deny from all

allow from 12.34.56.78

</Limit>

If someone else tries to log in to your website – other than the above IPs – the server will show an error connecting the database.

Protect /wp-contents/

Your WordPress site has two parts – wp-config.php and the other is wp-content/uploads/folder. Wp-contents contains media files, files of your themes, plugins, and cached files. That’s why this directory is the main target for smart hackers. In order to protect this file, create a new .htaccess file and add the snippet below in this file:

234

5

Order deny, allow Deny from all

   <Files ~ “.(xml|css|jpe?g|png|gif|js)$”>

   Allow from all

   </Files>

Once you add this code to the .htaccess file, upload it to “www.yourwebsite.com/wp-contents/” folder. When you upload this file, it will only allow media files to be uploaded including XML, CSS, JPG, JPEG, PNG, Gif, and Javascript. All other file types will be denied.

Protect Include-Only files

wp-includes contains everything required to run your WordPress website. Basically,  It is the enclave of WordPress Core files. While wp-content may define plugins and themes, the API itself and the vast majority of the WordPress core sits in that folder.  This folder is strictly not to be accessed by any user or anonymous. Therefore, if you want to block access to those files, add this snippet into your .htaccess file.

RewriteEngine On

RewriteBase /

RewriteRule ^wp-admin/includes/ - [F,L]

RewriteRule !^wp-includes/ - [S=3]

RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]

RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]

RewriteRule ^wp-includes/theme-compat/ - [F,L]

</IfModule>

Disable Directory Browsing in WordPress

Any type of suspicious access to your WordPress directories may turn into a major security concern. In order to restrict this access, you can add the below-mentioned snippet into your .htaccess file, access to your directories will be disabled:

2 # disable directory browsingOptions All -Indexes

With that, we’ve reached the end of our guide to password protect WordPress in all kinds of ways. If you just need to restrict individual WordPress posts, you can use WordPress’ built-in password functionality. To password protect other parts of WordPress, however, you’ll need to use one of the third-party plugins I referenced above.

Need help? Make sure perform a wordpress security audit too and make sure site is free from any kind of malware.

24/7 WP Security & Malware Removal
Is your site hacked or infected with malware? Let us get it fixed for you
Secure My Website(s)