WPLift is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission.

How to Use .htaccess to Restrict Access to All or Parts of WordPress

Last Updated on December 3rd, 2018

Published on May 1st, 2017

Share This Article

You probably created your WordPress site because you want people to see it. But that doesn’t mean you want people to see every single thing! That is, there are plenty of valid reasons to restrict access to all or parts of your WordPress site.

Beefing up security, creating a private staging site, restricting sensitive content…you need to do it sometimes. But how? Well, one simple way is to use your .htaccess file to restrict access to parts of your WordPress site. And in this post, I’m going to show you two quick ways you can use your .htaccess file to limit access to certain content.

Let’s dive in…

What’s the Benefit of Restricting WordPress With .htaccess?

.htaccess gives you a ton of flexibility for restricting access to all or parts of your site. If you just want to beef up your security, you can use .htaccess to restrict access to your dashboard and login page to prevent unauthorized users from accessing sensitive areas of your site.

Or, if you’re creating a development site that you don’t want the public to be able to access, you can fully restrict access to your site to keep your development site away from prying eyes.

You also have a few different methods of restricting access, which is nice. You can either restrict by IP addresses or add a separate username/password combination using something called a .htpasswd file.

Where Can You Find Your WordPress Site’s .htaccess File?

Your .htaccess file, short for Hypertext Access file, is located in the root directory of your WordPress site. That is, the same folder which contains folders like wp-admin and wp-config.php.

You can access it in a couple ways:

  • Via cPanel File Manager
  • Via your FTP program of choice

My personal favorite is to use File Manager because you’re only working with one or two files. To use File Manager, just find the File Manager option in cPanel:

how to use htaccess and wordpress together

Article Continues Below

Then, make sure you select the domain for which you want to make .htaccess changes:

Then, you just need to click on your .htaccess file and click the Edit button:

Ok, let’s get into the actual edits you need to make in order to use .htaccess to restrict access to your WordPress site!

Back Up Before You Start

I cannot stress this enough – the .htaccess file can be a finicky beast. It’s one of those things where if you edit the wrong line of code, you can completely break your site. Don’t worry too much – but definitely save an unedited copy of your .htaccess file before you go about making any changes.

Worst comes to worst, you can always upload this clean version if anything goes haywire. Your site will be instantly back to normal!

Restrict Access to WordPress Based on IP Address

Did you backup? I know I told you to above. But I’m just checking in one more time to remind you. Back up your original .htaccess file now!

Ok, now that you’re all backed up, let’s get into how to restrict access by IP address.

When Is It a Good Idea to Restrict By IP Address?

The IP address restriction is a great idea if only you or a couple of people need access to the content and you have a relatively static IP address.

Article Continues Below

If your IP address changes every day or you constantly need to give new people access…this method is going to get annoying real quick.

In that case, it will be easier for you to use the .htpasswd method that I’ll lay out next.

What Happens When You Restrict by IP Address?

When you add IP address restrictions to your .htaccess file, anyone who tries to access restricted content without an authorized IP address will see this:

People with authorized IP addresses will see the normal content, though.

How to Restrict By IP Address

Assuming this method fits your needs, all you need to do is add a short snippet to the top of your .htaccess file. I’ll give you a few examples depending on what you want to restrict. For all of these examples, you’ll need to replace the example IP address with your actual IP address.

To restrict access to your entire site, add the following code snippet:

order deny,allow
deny from all
allow from

Remember – this is your entire site. So you really should only use this for development sites or sites that you don’t want the public to have any access to.

To restrict access to just your wp-admin, add the follow code snippet:

Article Continues Below

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^42\.114\.178\.163$
RewriteRule ^(.*)$ - [R=403,L]

This is a great method to secure your site because it ensures the only people with access to your wp-admin are users with authorized IPs.

Need to allow multiple IP addresses? That’s easy – just add another IP address to a new line. For example, to allow two IP addresses access to your wp-admin, you just add a new line like this:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^42\.114\.178\.163$
RewriteCond %{REMOTE_ADDR} !^43\.114\.178\.163$
RewriteRule ^(.*)$ - [R=403,L]

How to Restrict Access to WordPress With .htpasswd

If you have a regularly changing IP address or need to grant access to tons of different people, using .htpasswd gives you more flexibility for restricting your site. With .htpasswd, users will need to enter a specific username/password before they can access your restricted content.

It looks something like this:

And if a user enters an incorrect username/password combination, they’ll see an error like this:

But as long as the password is entered properly, users will see your content like normal.

How to Restrict Access With .htpasswd File

To use the .htpasswd file, you need to do a few things:

  • Create a new .htpasswd file using Notepad
  • Add your username/password combinations (after encoding them with a free tool)
  • Upload that file to the same folder as your .htaccess file
  • Add some code to your .htaccess file to make it use the .htpasswd file

So, get started by creating a new file in Notepad (or a similar text editor) and saving it as .htpasswd. If you’re using Notepad, make sure you choose the All Files option when you save the file:

how to use htpasswd and wordpress

Then, head to the Htpasswd Generator site to generate an encoded version of your password/username:

And add that code to your .htpasswd file. If you need to add multiple usernames/passwords, make sure to add each one on a separate line:

Once you’ve added your encoded usernames/passwords and saved your .htaccess file, upload it to the same folder as your .htaccess file. You can either do this via File Manager or your FTP program.

Then, you just need to add a code snippet to your .htaccess file telling it what you want to restrict. Again, I’ll give you two different examples. For both of these examples, you need to make sure to specify the full path to your .htpasswd file. You can find the full file path at the top of File Manager:

To restrict access to your entire site, add the following code snippet:

AuthType Basic
AuthName "My Protected Area"
AuthUserFile /home/crn001/public_html/colinstest.website/.htpasswd
Require valid-user

To restrict access to just your wp-admin login page, add the follow code snippet:

<Files wp-login.php>
AuthType Basic
AuthName "My Protected Area"
AuthUserFile /home/crn001/public_html/colinstest.website/.htpasswd
Require valid-user

Wrapping Things Up

While you can probably find plugins that offer similar restrictions, .htaccess is pretty easy to use, even if you’re a beginner, and that means one less thing that can break on your site!

Do you have any extra .htaccess tips for WordPress users? This post is by no means comprehensive, so I’d love if you shared any tricks you have in the comments.

Stay informed on WordPress

Every Friday you’ll receive news, tutorials, reviews, and great deals from the WordPress space.

Invalid email address
Colin Newcomer is a freelance writer and long-time Internet marketer. He specializes in digital marketing, WordPress and B2B writing. He lives a life of danger, riding a scooter through the chaos of Hanoi. You can also follow his travel blog.