WordPress and Password Protected Directories

I think I just solved an issue with WordPress Permalinks and password protected directories that use Apache’s .htaccess. Here’s the problem in detail. I have WordPress installed on the root of my domain. Under that domain, I have a directory that I want password protected using .htaccess. It’s just a directory containing a few PHP scripts. Every time I try to access the password protected directory, I get a 404 page missing error. WordPress is confused thinking the directory is a post or a page. Since it’s not, it generates a 404 error instead.

The workaround for this is to place a couple of error codes at the top of the .htaccess to pre-empt the WordPress .htaccess rules. There are a couple of scenarios. If there is 401 situation, an authentication in this case, it will send the user to the error document which is just a blank html file. The WordPress permalinks rule never gets processed or is ignored. If there is a 403 error code, a forbidden situation in this case, it will send the user to that error document as well.

Here is the working .htaccess file. You will see the two error code rules at the top of the file. Underneath, you will see the standard WordPress permalinks rules.

ErrorDocument 401 ./blank.html
ErrorDocument 403 ./blank.html
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

Simple fix. Thanks to aiso.net.

8 thoughts on “WordPress and Password Protected Directories

  1. This is a good tip, but I must be missing something here, because if you send the 401 and 403 errors to a blank page, you will still not get to your login page. Instead of going to the blank page, set your error documents to the login page.

    1. Hi Jim,
      I know it can be confusing. Just think of the blank pages as holding pages whenever there is an authentication or a forbidden case. Without the blank page redirect, you’ll never see the authentication login page because the .htaccess rules for WordPress will take effect causing a Page Not Found or 404 error. With the error codes in place, the user is sent to the blank page, then authentication login page comes up thereafter.

  2. I understand now. When you go to the blank page the login box pops up. Thank you for clarifying that. I was thinking along the lines of a PHP driven login instead of .htaccess. In that case you would redirect to a login page as described above. Either one will work. The blank.html page could even have ads on it to give people someplace to go. Lots of things you can do with it.

  3. This is the simplest and most effective method. Just add two lines of code and solve the problem. Thanks for this beautiful solution.

  4. What if you have a password protected sub directory
    i.e. /members
    and you have a WordPress page that with the permalink is the same
    My question: How can you password protect a sub dir while being able to update it’s content with WordPress? I am having problems getting the page to display after I login. I have a physical directory /members which is .htaccess and .htpasswd protected but my page on WordPress never displays once I login. Thanks!

  5. I’m having the same problem. My wordpress site is in a sub directory, and the login page won’t show. I just get a “Page Not Found”. The password protection works fine for accessing the site.

Comments are closed.