You probably created your WordPress site because you want people to see it. But that doesn’t mean you want people to see every single thing! That is, there are plenty of valid reasons to restrict access to all or parts of your WordPress site.

Beefing up security, creating a private staging site, restricting sensitive content…you need to do it sometimes. But how? Well, one simple way is to use your .htaccess file to restrict access to parts of your WordPress site. And in this post, I’m going to show you two quick ways you can use your .htaccess file to limit access to certain content.

Let’s dive in…

What’s the Benefit of Restricting WordPress With .htaccess?

.htaccess gives you a ton of flexibility for restricting access to all or parts of your site. If you just want to beef up your security, you can use .htaccess to restrict access to your dashboard and login page to prevent unauthorized users from accessing sensitive areas of your site.

Or, if you’re creating a development site that you don’t want the public to be able to access, you can fully restrict access to your site to keep your development site away from prying eyes.

You also have a few different methods of restricting access, which is nice. You can either restrict by IP addresses or add a separate username/password combination using something called a .htpasswd file.

Where Can You Find Your WordPress Site’s .htaccess File?

Your .htaccess file, short for Hypertext Access file, is located in the root directory of your WordPress site. That is, the same folder which contains folders like wp-admin and wp-config.php.

You can access it in a couple ways:

  • Via cPanel File Manager
  • Via your FTP program of choice

My personal favorite is to use File Manager because you’re only working with one or two files. To use File Manager, just find the File Manager option in cPanel:

how to use htaccess and wordpress together

Then, make sure you select the domain for which you want to make .htaccess changes:

Then, you just need to click on your .htaccess file and click the Edit button:

Ok, let’s get into the actual edits you need to make in order to use .htaccess to restrict access to your WordPress site!

Back Up Before You Start

I cannot stress this enough – the .htaccess file can be a finicky beast. It’s one of those things where if you edit the wrong line of code, you can completely break your site. Don’t worry too much – but definitely save an unedited copy of your .htaccess file before you go about making any changes.

Worst comes to worst, you can always upload this clean version if anything goes haywire. Your site will be instantly back to normal!

Restrict Access to WordPress Based on IP Address

Did you backup? I know I told you to above. But I’m just checking in one more time to remind you. Back up your original .htaccess file now!

Ok, now that you’re all backed up, let’s get into how to restrict access by IP address.

When Is It a Good Idea to Restrict By IP Address?

The IP address restriction is a great idea if only you or a couple of people need access to the content and you have a relatively static IP address.

If your IP address changes every day or you constantly need to give new people access…this method is going to get annoying real quick.

In that case, it will be easier for you to use the .htpasswd method that I’ll lay out next.

What Happens When You Restrict by IP Address?

When you add IP address restrictions to your .htaccess file, anyone who tries to access restricted content without an authorized IP address will see this:

People with authorized IP addresses will see the normal content, though.

How to Restrict By IP Address

Assuming this method fits your needs, all you need to do is add a short snippet to the top of your .htaccess file. I’ll give you a few examples depending on what you want to restrict. For all of these examples, you’ll need to replace the example IP address with your actual IP address.

To restrict access to your entire site, add the following code snippet:

order deny,allow
deny from all
allow from 42.114.178.163

Remember – this is your entire site. So you really should only use this for development sites or sites that you don’t want the public to have any access to.

To restrict access to just your wp-admin, add the follow code snippet:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^42\.114\.178\.163$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

This is a great method to secure your site because it ensures the only people with access to your wp-admin are users with authorized IPs.

Need to allow multiple IP addresses? That’s easy – just add another IP address to a new line. For example, to allow two IP addresses access to your wp-admin, you just add a new line like this:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^42\.114\.178\.163$
RewriteCond %{REMOTE_ADDR} !^43\.114\.178\.163$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

How to Restrict Access to WordPress With .htpasswd

If you have a regularly changing IP address or need to grant access to tons of different people, using .htpasswd gives you more flexibility for restricting your site. With .htpasswd, users will need to enter a specific username/password before they can access your restricted content.

It looks something like this:

And if a user enters an incorrect username/password combination, they’ll see an error like this:

But as long as the password is entered properly, users will see your content like normal.

How to Restrict Access With .htpasswd File

To use the .htpasswd file, you need to do a few things:

  • Create a new .htpasswd file using Notepad
  • Add your username/password combinations (after encoding them with a free tool)
  • Upload that file to the same folder as your .htaccess file
  • Add some code to your .htaccess file to make it use the .htpasswd file

So, get started by creating a new file in Notepad (or a similar text editor) and saving it as .htpasswd. If you’re using Notepad, make sure you choose the All Files option when you save the file:

how to use htpasswd and wordpress

Then, head to the Htpasswd Generator site to generate an encoded version of your password/username:

And add that code to your .htpasswd file. If you need to add multiple usernames/passwords, make sure to add each one on a separate line:

Once you’ve added your encoded usernames/passwords and saved your .htaccess file, upload it to the same folder as your .htaccess file. You can either do this via File Manager or your FTP program.

Then, you just need to add a code snippet to your .htaccess file telling it what you want to restrict. Again, I’ll give you two different examples. For both of these examples, you need to make sure to specify the full path to your .htpasswd file. You can find the full file path at the top of File Manager:

To restrict access to your entire site, add the following code snippet:

AuthType Basic
AuthName "My Protected Area"
AuthUserFile /home/crn001/public_html/colinstest.website/.htpasswd
Require valid-user

To restrict access to just your wp-admin login page, add the follow code snippet:

<Files wp-login.php>
AuthType Basic
AuthName "My Protected Area"
AuthUserFile /home/crn001/public_html/colinstest.website/.htpasswd
Require valid-user
</Files>

Wrapping Things Up

While you can probably find plugins that offer similar restrictions, .htaccess is pretty easy to use, even if you’re a beginner, and that means one less thing that can break on your site!

Do you have any extra .htaccess tips for WordPress users? This post is by no means comprehensive, so I’d love if you shared any tricks you have in the comments.


Colin Newcomer is a freelance writer and long-time Internet marketer. He specializes in digital marketing, WordPress and B2B writing. He lives a life of danger, riding a scooter through the chaos of Hanoi. You can also follow his travel blog.

Siteground Hosting
Does WPLift load fast for you? That’s because we use Siteground for hosting, WPLift readers can click here to get up to 60% off hosting for your site.

Disclosure: This page may contain affiliate links for which we will receive compensation if a purchase is made.

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Leave Yours +

3 Comments

  1. Nice ideas, but the only people who would understand most of this are people who already know it.

    It is absurd suggesting some one “just add” a line including RewriteCond %{REMOTE_ADDR} !^42\.114\.178\.163$ without explaining what it means, how it works or even something as basic as “you need to put your own IP address here”.

    If people follow your advice I hope they keep that backup handy.

  2. Hi
    When You protect a single page with a password on a normal WP site, it’s still possible to se an image from that page if someone is receiving a direct-link to the image …. will “To restrict access to your entire site” help solving this problem??

    Thanks from Copenhagen

    //Lars

Leave a Reply

* Required Fields.
Your email will not be published.

Our Sponsors

SEND ME FREE STUFF!

Join our Newsletter to Receive 6 Free WordPress Themes

We will also send you our weekly Newsletter packed with the Latest WordPress Content.

We will look after your email & Never Spam!

You have Successfully Subscribed!