There are plenty of reasons to password-protect the content on a WordPress site.
You might want to password-protect individual pages or the entire website because you only want it to be accessible to some people, like friends, or it is member-exclusive content. Another possible reason is to password-protect content on a website that is currently under development. Making a website still in the development phase publicly accessible can result in a bad user experience and also pose risks to website security.
In this tutorial, we will discuss different methods that you can use to password-protect a WordPress page or website.
Table of contents
How to password-protect a WordPress page or post
There are many different ways that you can follow to password-protect a WordPress page or post. You can do it natively, with a plugin, or using HTTP authentication. Let’s discuss each of these methods one-by-one.
Password protect a WordPress page natively
WordPress comes with the capability to password-protect the contents of a page or post built into it. Each post or page where you have password-protected content can have its own unique password. Visitors will only be able to see the contents of a protected page once they enter the correct password.
The settings to add password protection to a page are available through the admin dashboard. Therefore, our first step would be to log in to the WordPress admin dashboard.
After that, navigate to either Posts > All Posts to see a list of posts or Pages > All Pages to see a list of pages.
Hover over the post that you want to password-protect and then click the Edit button, as shown in the image above. This will open the post in the WordPress block editor.
The editor sidebar should have a Visibility setting under the Summary section. The visibility of a post is set to Public by default. These public posts are visible to everyone.
Click on the Public button, and it will open a popup where you can select Password Protected. You should now see a new input field where you can enter a strong password that users need to enter to view this post.
Save the changes for the visibility settings to take effect. You can do so by clicking the Update or Publish button available at the top. The Update button shows up in the block editor for existing WordPress posts. The Publish button is for new WordPress posts.
Anyone visiting this webpage now will be asked to enter the password before seeing its contents.
You might want to use a secure password that can’t be easily guessed using brute-force attacks. Brute force attacks are the type of attacks where the attackers rely on a trial and error approach to guess the username and/or passwords for an account.
Password protect a WordPress page using a plugin
There are plenty of plugins that you can use to enable password protection on published pages and posts of your WordPress website. These plugins usually provide some additional features not available natively in WordPress. For instance, they could allow you to have multiple passwords for a single page.
In this tutorial, we will use the PPWP — Password Protect Pages plugin to password-protect WordPress pages. This plugin will let you apply password protection based on user roles.
First, make sure that you have installed and activated the plugin. Then, open the post or page that you want to password-protect in the WordPress editor.
Scroll down a bit in the sidebar until you see the Password Protect WordPress section in the WordPress post editor. Set the role as global and enter a password in the Passwords field. Click the Submit button, and your post will now have password protection.
You can add multiple passwords for a single WordPress post or page. Just make sure that you only enter one password per line. This will allow you to provide different passwords to different users.
You can follow these same steps to have multiple password-protected pages on your website.
Visit the password-protected page in a browser, and you should see a basic form like the image above. The look and feel of the form will depend on the theme you are using.
However, you can change some aspects related to its appearance, such as the background color and font size, through the WordPress customizer.
You can find the plugin’s settings for styling the form by navigating to Appearance > Customize > PPWP SIngle Password Form.
Password-protect a WordPress page with HTTP authentication
HTTP authentication is yet another method that you can use to password-protect pages on your WordPress site. Please keep in mind that this method will require more effort on your part.
Basics of HTTP authentication
There are several authentication schemes under the HTTP authentication framework. These schemes are identified by names such as Basic, Bearer, Digest, and so on.
All these schemes offer varying levels of security. Also, not all of them are available in all client and server software.
One of the most widely supported schemes among them all is the Basic authentication scheme. This is what we will be using to password-protect a webpage on our WordPress site.
Password protecting a website using Basic HTTP authentication requires passing over the user ID and password over the network as base64 encoded clear text. Therefore, it is not very secure.
You should consider using this authentication scheme with HTTPS/TLS to provide a secure communication channel. This is basically an encryption protocol to encrypt communications.
Websites that have an SSL (TLS) certificate already have this encryption in place.
Implement Basic HTTP authentication
Password protecting a web page or website with Basic HTTP authentication requires you to work with two files.
Step 1: Create the .htpasswd file
The .htpasswd file stores usernames and passwords for basic HTTP authentication. You can create this file using the htpasswd command.
You have to execute this command in the terminal. Therefore, the first step is to open the terminal. You can find the terminal in the Advanced section of your cPanel dashboard.
Once the terminal is open, execute the following command to create a password file and add a user to it.
You should also note that this command will most likely not work on a shared hosting account. This is because shared hosting accounts usually don’t get access to the htpasswd command via the terminal.
htpasswd -c /path/to/the/password/file username
If you were able to execute this command, the terminal will now prompt you to enter and confirm the password for this particular username.
If you weren’t able to execute the above command, you can simply create the .htpasswd file manually in a directory on your server.
After that, use the HTPasswd generator to generate the contents of your .htpasswd file. Finally, copy the generated output in the .htpasswd file that you just created and save it.
Your .htpasswd file is now ready to be used for password protection.
Step 2: Add directives to the .htaccess file
The .htaccess file is a configuration file that you can use for several purposes. For instance, you can improve WordPress website security using .htaccess files.
In this post, we are using this file to implement basic HTTP authentication.
The .htaccess file for your WordPress website should be present in the root installation directory. We strongly advise you to take a backup of your .htaccess file before proceeding. This way, you can restore the file to its previous state if anything goes wrong.
Open the downloaded .htaccess file in a text editor and add the following lines at the bottom.
<Location "/url-you-want-to-protect/">
AuthType Basic
AuthName "Restricted Access"
AuthUserFile /path/to/the/password/file
Require valid-user
</Location>
You should make sure that /path/to/the/password/file matches the actual path of your .htpasswd file.
Save this file and upload it back to its original location on the server.
Try visiting this specific page in your browser now, and you should see a prompt that asks for a username and password.
How to password-protect WordPress categories
WordPress allows us to assign one or more categories to a post. This allows us to keep our posts well-organized for visitors.
In some situations, you might want to protect all posts that fall under a certain category. For instance, you might be publishing a weekly list of design tools that you want only a certain section of your viewers to see.
Unfortunately, WordPress doesn’t have any native functionality that will let you add category passwords. Adding password protection to each post that falls under a certain category one by one is not very efficient.
The simplest and most effective way to password-protect posts that fall under specific WordPress categories is to use a plugin. Luckily, there are many WordPress plugins that you can use to make the password protection of categories easier.
Password protect WordPress categories using a plugin
The Password Protect WordPress plugin that we mentioned earlier can also help you password-protect posts that fall under specific WordPress categories. Let’s see how you can make that happen.
First, you need to navigate to Posts > Categories from your WordPress admin dashboard. This page allows us to add a new category or edit existing categories on our website.
Admins who have installed the Password Protect WordPress plugin that we mentioned earlier should see a new section on the categories page in their admin dashboard. This section is under the heading Category Protection.
The first input field in this section allows you to select the categories to which you want to add password protection. You can add one or more categories to this field.
The second input field allows you to set a password that visitors will need to enter to view the content of posts that fall under protected categories.
Click the Save Changes button once you have selected the categories to protect and set a suitable password to access them.
How to password protect entire WordPress site content
Sometimes, you might want to add password-based protection sitewide. For instance, you might be working on a site that isn’t ready for the public yet. You could also be trying to protect the contents of a personal website where you post things only for friends and family to read.
There are two methods that you can use to password-protect the content of your entire WordPress site.
Password-protect entire WordPress site content using a plugin
We will use the Password Protect WordPress plugin mentioned earlier to add password protection to the entire website content.
Log in to your WordPress admin dashboard and then navigate to Password Protect WordPress > Sitewide Protection.
Now, turn on the toggle for Password Protect Entire Site under the General tab.
Enter a new password in the Set a password input field. Finally, click on Save Changes to enable sitewide password protection.
Try visiting any published page or post on your website now. You should see the following screen. This is the sitewide password form that will protect your entire site content now.
You might want to change the logo of the password protection screen to your website logo.
The plugin allows you to do so through the WordPress customizer.
Navigate to Appearance > Customize > PPWP Sitewide Login Form from the admin dashboard.
You will find some plugin settings inside the PPWP Sitewide Login Form section to change the logo, button, and password form appearance. Click on Logo.
Inside, you will be able to either disable the logo or change the logo image. Click on the Change Image button and select the logo of your website. Finally, click the Publish button to save changes.
The sitewide password protection form should have the updated logo as shown in the image above.
Protect your entire WordPress site content using HTTP authentication
Earlier, we learned how to use basic HTTP authentication to password-protect the content of a single WordPress post or page.
You can follow the same steps in order to password-protect the content of your entire site.
Simply remove the Location directive that we placed around the authentication settings when protecting a single page. In other words, your .htaccess file should now have the following lines.
AuthType Basic
AuthName "Restricted Access"
AuthUserFile /home/qqgbuopr/.htpasswd
Require valid-user
Save and upload the modified .htaccess file back to the server. Now, try reloading any page on your website. You should see a prompt to enter a username and password.
You might also want to read our complete guide for the WordPress .htaccess file to learn about more ways in which you can use these files.
How to improve the protection of your WordPress site
In this tutorial, we have discussed multiple ways of protecting the content on your WordPress site. This can help prevent bad actors from gaining unauthorized access to that content.
However, not all bad actors are after the content of your website. Some of them will try to gain access to your website’s user accounts. Bad actors gaining access to one of the website’s user accounts, such as those of admins or editors, can have very bad consequences. Therefore, ensuring user account safety is paramount for you as a WordPress website administrator.
Enforce strong login and password policies
The Melapress Login Security plugin has an extensive feature set that can help you protect the user accounts on your WordPress site. This plugin makes it very easy for you to implement and enforce login and password policies for your website’s user accounts.
Bad actors will usually try to gain access to user accounts by guessing their usernames and/or passwords using brute-force attacks.
The following features in Melapress Login Security will drastically reduce the impact of such attacks:
- Melapress Login Security also allows you to limit the total number of failed login attempts. It will automatically block users with too many failed login attempts.
- It also allows you to enforce strong password policies either based on role or site-wide. Users receive automated, real-time, on-page feedback while creating their password.
- Melapress Login Security also allows you to reset all passwords and terminate all sessions with a single click. It also sends users instructions on how to reset their passwords.
- You will be able to change the default WordPress login page URL. This will protect against bots that visit the login page of WordPress websites to attempt brute-force attacks.
Melapress Login Security also offers one-click integration of third-party plugins such as WooCommerce, LearnDash, and others into your login policies for all-around protection.
Set login & user security policies such as limit login attempts, login page hardening, and much more.
Protect user’s accounts with two-factor authentication
Melapress Login Security is an excellent plugin for protection against brute-force attacks. However, there are many other types of attacks that bad actors can use to target the user accounts on your website.
In some instances, the attacker will try to steal the login credentials of users instead of trying to guess them.
Phishing attacks are one such type of attack. These attacks try to exploit the trust of users for malicious purposes. They try to trick users into entering their account credentials on a fake website that is very similar to the original website in appearance. This allows them to receive the login credentials of the user.
One way to protect user accounts from unauthorized access via stolen or leaked credentials is to enable two-factor authentication. This technique uses two independent factors to authenticate a user.
The WP 2FA Plugin from Melapress will help you add this extra layer of security to your website’s authentication process. Two-factor authentication, or 2FA introduces an extra step in the authentication process. However, the WP 2FA plugin makes the process very convenient for the user.
- WP 2FA provides multiple authentication methods. Users can choose the one that is most secure and convenient for them.
- The plugin also allows users to mark some devices as trusted. This way, they won’t have to enter the 2FA code every time they log in.
- WP 2FA also provides backup methods for users to log in to their accounts if the primary method is unavailable. This could be the case if, for instance, their phone runs out of battery.
WP 2FA has plenty to offer to website administrators as well. For example, you will be able to configure policies either on a per-user, per-role basis, or site-wide.
The plugin also offers extensive white labeling options. This ensures a consistent look and feel during the user’s 2FA setup process.
Conclusion
In this post, we discussed multiple methods that you can use to password-protect the content on your website. The ideal password protection method for your website content depends on what exactly you want to protect.
If you aim to password-protect a few individual WordPress pages or posts, you can use the built-in password protection feature in the WordPress editor. This will allow only authorized users to see the contents of an otherwise public WordPress post.
If you are looking to protect all the posts that fall under your specified categories, you can do so with the help of many available WordPress plugins. These plugins usually offer some additional features, such as the ability to set multiple passwords, implement password protection only for specific user roles, etc.
You can also use basic HTTP authentication to protect individual pages as well as the entire site content. However, you should ideally use this option to password-protect sites that are not user-facing.
Finally, don’t forget to install the Melapress Login Security plugin and take some safety measures to protect the user accounts on your WordPress website.
WordPress Password Protection FAQs
The primary difference between these two is their visibility. Private WordPress pages are only visible to editors and administrators. Password-protected WordPress pages are visible to anyone who knows the correct password.
The easiest method to protect your WordPress website with a password is to use a plugin. However, you can also use basic HTTP authentication for this purpose.
WordPress has built-in support in its editor to apply password protection on pages. You can change the visibility of pages from the editor sidebar to enable password protection.
You can also use dedicated plugins that offer more features, such as role-based passwords.
Melapress Login Security is an excellent plugin that allows you to enforce and implement strong password policies. It also offers plenty of other useful security features.