Table of contents
Why password-protect 1. Built-in feature 2. Use a plugin 3. Use .htpasswd and .htaccess 4. Password-protect 5. Make your entire WordPress site private Extra security FAQs Getting started Additional resources
Get the industry’s fastest hosting for WordPress ◦ 99.999% uptime
◦ Comprehensive security
◦ 24/7 support
Explore options

WordPress GuideSecurity → Password Protect

How to password-protect your WordPress site

Image

Want to restrict access to your WordPress site or certain content? Whether you’re building a private portfolio, staging a client project, or securing internal content, password protection gives you quick control over who sees what.

Let’s look at the easiest ways to password-protect your site, from built-in features to advanced plugins.

Why password-protect a WordPress site?

There are plenty of reasons you might want to limit access:

  • Keep a staging or development site private while you work on it.
  • Restrict internal documentation or team portals.
  • Offer client previews without giving public access.
  • Create members-only or customer-only areas.
  • Hide an entire store or product category until launch.

No matter the use case, WordPress has flexible tools to help.

1. Use WordPress’s built-in feature to protect a page or post

If you only want to protect a single page or blog post, you don’t need a plugin. WordPress includes a simple password feature out of the box:

  1. Log in to your WordPress dashboard.
  2. Go to Pages or Posts and click Edit on the one you want to protect.
  3. In the right-hand sidebar under Visibility, click Public and select Password Protected.
  4. Enter your password.
  5. Click Update or Publish to save the change.

Only people with the password will be able to view the page. This method is best for simple use cases but doesn’t allow for multiple passwords or advanced access control.

2. Use a plugin to password-protect your entire WordPress site

To protect your whole site or multiple areas at once, a plugin is the way to go. The most popular option is the free Password Protected plugin.

Here’s how to set it up:

  • Go to Plugins > Add New and search for “Password Protected.”
  • Click Install Now, then Activate.
  • Go to Settings > Password Protected.
  • Check “Enabled” to turn on protection.
  • Enter a password under New Password.
  • Optionally allow access for logged-in users or admins.
  • Click Save Changes.

Once enabled, anyone trying to access your site will see a login prompt. This is ideal for under-construction websites, private client work, or gated content.

3. Use .htpasswd and .htaccess for server-level protection

If you’re using an Apache server and want an extra layer of security, you can password-protect your entire site at the server level using .htaccess and .htpasswd.

  • Create a .htpasswd file with an encrypted username and password using an online generator.
  • Upload the .htpasswd file to a secure directory above your site root.
  • Add the following lines to your .htaccess file (usually found in the root folder):
    AuthType Basic
    AuthName “Restricted Area”
    AuthUserFile /full/path/to/.htpasswd
    Require valid-user

This method blocks access before WordPress even loads. It’s best used on staging sites or highly sensitive projects.

4. Password-protect WooCommerce categories or stores

If you run an online store, you might want to hide entire product categories or the full storefront. WordPress doesn’t support this natively, but there are plugins built specifically for WooCommerce.

Two of the most popular (and paid) options are:

Both plugins are maintained by Barn2 and offer user-friendly setup screens, customizable messages, and flexible password control.

5. Make your entire WordPress site private (no plugin required)

If you prefer not to use a plugin, there are still ways to make your site private:

  1. Enable search engine discouragement: Go to Settings > Reading and check “Discourage search engines from indexing this site.” This doesn’t block access but helps keep it hidden.
  2. Use a membership plugin: Tools like MemberPress or Restrict Content can make the site fully private until a user logs in.
  3. Enable maintenance mode: Plugins like WP Maintenance Mode or SeedProd let you display a coming soon page while hiding the main content.

Extra security: Set password expiration and limit access

If you want to level up your password protection, use a plugin like PPWP – Password Protect WordPress. It adds features like:

  • Multiple passwords per page
  • Password expiration and scheduling
  • Role-based access
  • IP whitelisting

These tools are especially useful for content that changes frequently, like client deliverables, short-term campaigns, or internal reports.

Password protected WordPress FAQs

Yes. You can use built-in tools to protect individual posts or pages, or install a plugin like Password Protected to restrict access to the whole site.

The simplest method is using the Password Protected plugin. You can also use membership plugins, a maintenance mode plugin, or .htaccess protection for tighter control.

Use strong passwords, two-factor authentication, a firewall plugin (like Wordfence), and SSL. Regular updates and backups are essential too.

Use security plugins to limit login attempts, change the login URL, and enable CAPTCHA or 2FA. Good options include WPS Hide Login and Wordfence Login Security.

Additional resources

Comprehensive guide to securing WordPress with ModSecurity

This guide provides a comprehensive overview of how to use ModSecurity to enhance the security of your WordPress site.

How to add Cloudflare CAPTCHA on WordPress →

Enhance WordPress security by adding Cloudflare CAPTCHA to block bots and malicious traffic.





Why security matters for WordPress enterprise hosting

Use the blog as your guide to attacks to watch out for, security best practices, and steps to improve the WordPress protection you already have.