htaccess protect

by zoltanlaczko

Description

Using the password protection will give you extra security layer of protection from brute force hacking attacks. Additionally, it’s also an easy way to password protect your entire site, without needing to create separate WordPress users for each visitor.

When you enable the password protection, the user won’t be able to see anything – not even see the protected page – until he/she inserts the username/password. You can password protect the whole website, including the administrator pages; you can password protect the administrator pages; or you can password protect the WordPress login page.

The plugin options include:

Enabling/disabling the password protection to wp-login.php, WordPress admin pages.
Modifying the existing users: you can change any .htaccess user’s password and remove the users.
Create/modify an unlimited number of .htaccess users;
Protect your whole site, making it accessible to only those who have the .htaccess user.

This plugin is originally was based on .htaccess Site Access Control. That plugin was working fine but it was abandoned for years and not compatible with the latest WordPress. Most part of the plugin were refactored and translated.

Installation

Upload the plugin files to the /wp-content/plugins/zotya-htaccess-protect directory, or install the plugin through the WordPress plugins screen directly
Activate the plugin through the ‘Plugins’ screen in WordPress
Use the Settings -> htaccess protect screen

Faq

Which options do you modify?

You can choose between the following options:
1. Enabling/disabling the password protection to wp-login.php, WordPress admin pages, and/or the whole site.
2. Modifying the existing users: you can change any .htaccess user’s password and remove the users.
3. Adding a new .htaccess user.

Note that you have to have at least one user to be able to enable any of the options: otherwise you would be locked out!

The plugin is giving a warning that some of the files need to be writable for it to work, what does this mean?

Since the plugin is protecting your site via modifying .htaccess and .htpasswd files, it works only if these files are writable by WordPress. If the files don’t exist, you can just create empty writable files to the location brought out in the plugin’s warning. You can also see from there which files are already writable and which not.

I forgot my password, and got locked out from the site! What can I do?

For accessing your site again, you have to modify two files:
1. .htaccess file in your WordPress root directory (the directory where the file wp-config.php is located);
2. .htaccess file in your WordPress wp-admin folder

From both files, delete everything BETWEEN these two lines:

# BEGIN ZOTYA htaccess protect
# END ZOTYA htaccess protect

IMPORTANT: Before modifying either of the files, make a copy of them!

For accessing the files, either use FTP or log in to your web hosting service provider, usually they also enable direct file modification.

Reviews

it works

By sinanisler on June 28, 2022

i dont know others but it works fine for me i just tried with wordpress 6.0 I recommend people to use this plugin if you have and know how to edit your ftp files ! if your server configuration has issues this plugin will have too... it is a simple but powerfull plugin.

It doesn't work

By reverseflash on January 1, 2022

the plugin used to work, not anymore.

Does what it says on the tin

By BigupJeff (jeffersonreal) on April 11, 2021

This is the first http pass plugin of several I had to sift through which actually does what you'd expect from a http password plugin. Provides simple, complete site-wide password protection. For me this is a very helpful tool to quickly block public access to staging and dev sites without having to manually create a pass file which I have to remember to delete before migration etc... Thank you to the dev for keeping it straight forward, the way tools should be.

Sorry, but problematic!

By markc369 on April 3, 2021

When working on websites, I like to add a site-wide password to stop user and search engines accessing the site during that period. I normally use another plugin for this, but it had not been updated for 6 months and on WP5.7 was causing the (known) issue of misreporting that there was an https issue with the site when doing a health check. So I decided to go with this one. At first I thought it would do the job, but when I went to check the site health, I got into the loop of it constantly asking for user/password. I enabled the (supposed) fix for this and then tried again - but same issue. At this point I decided to deactivate/uninstall the plugin - that did not help and the site was still asking for the password, but least at this point I could still access the site. I reinstalled - disabled everything and removed the user thinking that would fix it - now it was even worse. I was still asked for user/pw but now it was not recognised - basically I had been locked out of the site completely. The only fix was to ftp in, download the .htaccess file and manually remove the authentication section added by this plugin and re-upload it. Not sure what has been left in the file structure / db, but at least I am back in and have gone back to the original plugin. What is even worse, is that this plugin also causes the same https error when checking on site health. So it was all for nothing anyway... Needs some more work guys! Cheers, Mark. PS. If you do fix these issues and want me to give it another go - of course I will be happy to do so and will happily up the grading accordingly 🙂

Simple enough! 🙂

By Manoj Kumar (manojorton) on March 22, 2021

Thanks for keeping it simple.

Great

By szaboi on June 4, 2020

Simple and great. Thank you for your work

Changelog

0.7.0

Add WordPress 5.9 support

0.6.0

Add WordPress 5.8 support

0.5.0

Add WordPress 5.7 support

0.4.0

Add WordPress 5.6 support

0.3.0

Add WordPress 5.5 support

0.2.0

Add authorization fix option if you have loopback issues
refactor remove function

0.1.0

Initial release