WordPress rewrite engine and .htaccess password protection

1 min read

Following these steps will avoid the problem of wordpress rewrite engine kicking in and sending 404 messages:

Step 1: Update the .htaccess file to point to the unauthorised login file

Method 1: Include this code at the top of your .htaccess file:

ErrorDocument 401 default

If that doesn’t work, you may need to create the 401 file…

Method 2:
(1) Create an 401.shtml
This can simply have <html></html> as content. It doesn’t need anything… wordpress just needs to be able to see it or it will serve a 404.

(2) Update the .htaccess file 
Edit the .htaccess file with this code right at the top. Edit with the appropriate full path to the error.html file.

ErrorDocument 401 /401.shtml
ErrorDocument 403 /401.shtml


Step 2:  Create a password file
These are useful instructions. Using the Htpasswd Generator, create and save a file .htpasswd to a location above your root directory, so visitors can’t access it.

Step 3:  Update the .htaccess file with info on password protected files / directories
These are useful instructions. Put this code just after the code in step 1, before the wordpress rewrite engine instructions. Edit with the appropriate full path to your htpasswd file.

<FilesMatch “path/to/file.extension”>
AuthName “Restricted Area”
AuthType Basic
AuthUserFile /home/youraccount/.htpasswds/public_html/.htpasswd
require valid-user


Note: If the password dialogue appears but you still get a 404 error after logging in, this means the password file is in the wrong place ie it is NOT located at the file locations indicated in step 3.