Oct 18, 2008 - Wordpress    42 Comments

Password protect sub-directory in wordpress by htaccess


Recently a Canadian client of mine told me to look at an interesting wordpress problem. I regularly develop wordpress theme for him. He is a great artisitic designer of wordpress theme and I code theme to HTML & CSS. Whatever, my client told me that he wants to password protect a sub-directory “download”. He has done it from cPanel. He also created a user and permitted that user in that sub-directory. But it was not working.

Befoer I start, I want to clear that in this case wordpress was installed in root directory. One more thing is in this post i cannot write “.” and “htaccess” together. May be this is a security issue. If I write “.” and “htaccess” together, the post is not saved and I get a 404 error. So, I have written (dot)htaccess instead. Again, (dot)htpasswds instead of “.” and “htpasswds” together.

So I logged in to the cPanel to check what is happening actually. I found that whenever you password protect a sub-directory from cPanel, a new (dot)htaccess file will be created in that sub-directory. And the content of the (dot)htaccess file is less or more like as follows:

And your password that you set from the cPanel will be encrypted and saved in a file (dot)htpasswds in the AuthUserFile location.

If this was not a wordpress site or it was a wordpress site (but custom Permalink not used; rather the Default used), you should not face problem in most cases. But when you use customized Permalink in wordpress to create beautiful links and try to protect a password, the password protection from cPanel does not work!

But do you know why? Here is the reason: in the root directory you installed wordpress and here there is a (dot)htaccess file. The settings in this file and the (dot)htaccess in your sub-directory (for example root_directory/download/(dot)htaccess) do not smoothly match with each other with since you are using Permalink plug-in to customize your URLs.

So, when you try to go to: http://www.yoursitename.com/download wordpress think that it is a post or page!

WordPress think this because you have enables permalink and this is quite correct and logical. But you know your download sub-directory is not a post but a folder/directory in the root folder. So, you need to do something so that wordpress does not confuse the following link as a post or page.

Here is the solution:
1. Open the (dot)htaccess file in http://www.yoursitename.com/(dot)htaccess
2. Find out the line # BEGIN WordPress
3. Just before this, add the following three lines:

4. Save the (dot)htaccess file and upload in your root or installation directory.

Now go to http://www.yoursitename.com/download and check if it works. If everything is OK, you should get a prompt asking for a username and password that you set from the cPanel.

Here is my example:
Sub-directory download password protected: http://www.tanzilo.com/download
Permalink smoothly working: http://www.tanzilo.com/2008/10/18/password-protect-sub-directory-in-wordpress-by-htaccess/

Or you may install a shopping cart in location as in:

This should work smoothly too as you see my example here:

Although there is an application/software in the shop sub-directory, wordpress no more thinks it a post or page!

Thus, you can set (dot)htaccess, password protected sub-directory (i.e. /download/) and any other sub-directory (i.e. /shop/) in such a way that they will be living in happiness in the same home!

The last interesting thing is this solution is sometimes helpful in Drupal and in some other applications where (dot)htaccess and URL rewriting code do not fit together.

Thanks for reading.


  • I have been searching on the net for directory and end up visiting your site. I really like the posts here, especially this one regarding ord protect sub-directory in wordpress by htaccess – Learning Is Fun. I already bookmarked your site and sure visit again.

  • Very useful post. where can i find more articles no this subject ?

  • Genius, thanks for helping me to stop pulling my hair out

  • nice blog!! I really liked this blog.your post are good trip for me Thanks for sharing (:

  • With WordPress v2.6 and older locking a sub directory like wp-admin worked with no issues. It’s only 2.7 and later that it’s broke. I don’t totally understand what the code is doing, but it works. 🙂

  • Thank you so much for taking the time to post this you saved me a huge headache. You’re awesome.

  • Thanks for sharing………informative……I like you layout…..itz cool man.

    Could you please refer any forum that I can get few different plugins.

  • @ tiherp

    You are always welcome.

    The most wordpress plugin resources are here:

    And you may also find many other free and commercial plugins by Google search.

  • Great! Thanks! :^)

  • Hello!
    Very Interesting post! Thank you for such interesting resource!
    PS: Sorry for my bad english, I’v just started to learn this language 😉
    See you!
    Your, Raiul Baztepo

  • Thanks for the useful information!

  • You are a legend my friend. I am so thankful. You have saved me hours and hours worth of headaches. Thank You!!!

  • Very Useful Resource. Very well explained.

  • Brilliant, i did wonder if it was due to the htaccess in the WP root, you’re a star thanks for the post.

  • This is exactly what I was looking for! I searched for hours trying to find a solution that WORKED. Your does. Brillant!

  • Superb !!!! Helped me a lot

  • Life saver…..I repeat…..LIFE SAVER! Thank you for this.

  • I spent a long time tinkering with apache until i realised the problem was wordpress! Thanks for the info.

  • I have no idea HOW that works, but it does. THANK YOU! 🙂

  • tnx, so good

  • works perfectly thank you 🙂

  • Just listened to a webinar that explained how to protect directories so this article was great.

  • Awesome hack man! I was struggling with my hosting provider to create password protected folders, which they said cannot be done when wordpress is installed in root. Your trick has just done the job perfectly.

    Thanks man!

  • Things worked fine till password level but I was unable to view images inside the HTML pages. I was trying to protect folder, which contains few html files.

  • Absolute champion. Thank you for sharing that. This issue with WordPress and password protected subdirectories was driving me crazy. Aaron

  • thanx a done dude u saved the day for me …. brilliantly explained bookmarked!!!!

  • Superb fix, million thx!!

  • works perfectly thank you !

  • Thanks for the great post! It helped me get the user/pass entry to show up, but when I enter the credentials, I still get the 404 page! So close!

    Any advice on that?

  • Thanks for the great post!Works perfectly thank you !

  • Thanks for the free post!I like it so much.And it is very wonderful and powerful.It’s important for me.Thanks so much!

  • That was an excellently written essay, thank you so much.

  • Great…… why couldn’t I find this information two days ago?

    Thanks for a great explanation and solution to the problem I had on creating the password protected directory in WordPress.

  • Thank you for this! Was exactly what I was looking for…

  • Did the trick! Thanks so much

  • Very usefull information, I was looking for the same type of solutions to protect some files to get accessed by guest users on my blog.

    Thanks for sharing the information

  • Thanks, it worked! After looking a lot around the web I found your post! Thank you very much!!! Save my day!

  • Very nice post

  • Thank you for the helpful post!

  • Thanks for looking into this and resolving the issue. So heres my next question to go with it. How does one go about setting up custom error pages with this so when someone provides the wrong credentials they get an error page instead of the standard 401 error page. Placing a 401.php file in the root is not working.

    This trick seems to mean that I am going to need to place the error file in the root of each directory since the error path now includes %{REQUEST_URI}.


    Any tips?

  • Subscribed

  • Thanks,

    I was looking for a solution for this problem of password protecting wordpress directories.
    It helped a lot


Got anything to say? Go ahead and leave a comment!