Password protecting your WordPress website is a good choice if you’d like to gate specific pieces of content, prevent WordPress security issues, or protect published pages from view while you make changes.
In this piece, we’ll provide easy-to-follow steps for WordPress password protection, including protecting an individual WordPress page and an entire site. The good news? You can do so without needing a plugin. Let’s get started.
Why password protect WordPress?
As a result, it’s critical to protect these posts — to ensure that unauthorized users can’t view, edit, or delete data before you’re ready to publish pages or have the chance to make critical changes.
But how do you password protect WordPress? Thankfully, WordPress makes it easy with a quick and painless built-in tool. While site owners could invest substantive time and effort into in-depth security precautions, this popular content management system (CMS) offers built-in password functionality to help defend sites against unwanted access and editing. Let’s take a look.
How to Password Protect a WordPress Page
There are many steps to secure a WordPress website or blog, but one easy tactic is to password protect a single page, post, or product listing (including WooCommerce listings) using WordPress’ built-in password protection tool.
Follow these six steps to quickly password protect a single page or post:
- Log in to your WordPress account
- Go to Posts, then All Posts
- Click Edit on a specific page or post
- Using the Publish menu, change the visibility to Password Protected
- Enter a password
- Publish your newly-protected page
1. Log in to your WordPress account.
Make sure to log in as an administrator or you won’t be able to make any changes to post visibility or security.
2. Go to "Posts", then "All Posts".
From your dashboard, click through to "Posts" and then "All Posts" to select the page or post you want.
3. Click "Edit" on a specific page or post.
Alternatively, click on the post title. Password protection is implemented on a per-post basis, so you’ll need to add security to individual pages as required.
4. Using the Publish menu, change the visibility to "Password Protected".
By default, WordPress pages are set to Public — meaning anyone can view them. Private pages can only be accessed by designated Admins and Editors, and Password Protected offers the highest level of security.
Click the blue “Public” text to access visibility options. In the pop-up, click “Password Protected.”
5. Enter a password.
Choose your password. As noted by the official WordPress site, the maximum length is 20 characters.
6. Publish your newly-protected page.
To apply any changes made, you must click the “Publish” button for unpublished pages or posts, or the “Update” button for already-posted content.
If you’re looking for even more protection, it’s possible to password protect your entire WordPress site. This is often a good idea if your site isn’t ready to go live yet or you’re in the middle of in-depth page and post development.
The caveat? WordPress doesn’t natively offer this feature, meaning you’ve got two options: Plugins and HTTP authentication. Let’s explore each in more detail.
How to Password Protect a WordPress Site Using a Plugin
There are a host of free and for-pay WordPress plugins that make it possible to password protect your entire site. While the details differ from plugin to plugin, the basics are the same — you select a password for your site and specify any exceptions, such as visitors from specific IP addresses, then apply the changes. When users visit your site, they’ll see a WordPress login screen that requires a valid password for access.
We’ll go through the process using PPWP – WordPress Password Protect Page Plugin, which allows you to protect your entire WordPress site, as well individual pages, posts, and categories. In the Pro version, you can even protect entire custom post types, such as product listings.
Here’s the step-by-step process:
1. Download the PPWP plugin from the WordPress plugin library.
To install the plugin, log into your WordPress dashboard, click “Plugins” on the sidebar, and click “Add New.” Search for the PPWP plugin, then install it and click “Activate.”
2. Click “Password Protect WordPress” on the sidebar.
The plugin will have a dedicated section on your sidebar titled “Password Protect WordPress.” Click on it to expand the subsections, then click on “Sitewide Protection” to see your options.
3. Under “Sitewide Protection,” click on the “Password Protect Entire Site” toggle.
You’ll then be prompted to set a password. The change will be immediate, so make sure you’re ready to make your website fully private! And do save your password somewhere for you to remember.
4. All done! Your site is now password protected.
When external visitors try to visit your site, this is what they’ll see:
Remember that password protecting your site may lead to search engine indexing issues, meaning that Google, Yahoo, and Bing may not list your website in search results. If you’d like to keep your pages public but not be indexed by search engines, you can use noindex, nofollow meta tags without needing to make your site private.
How to Password Protect a WordPress Site Using HTTP Authentication
This type of password protection happens at the web hosting level; many web hosting providers now offer one-click HTTP authentication for your website, regardless of what CMS you’re running. Just like plugin-based password protection, you select a password for your site, along with any exceptions. Unlike plugin solutions, visitors won’t even see a WordPress logo when they arrive — they’ll simply see a text box asking them to log in.
Here are the tutorials we recommend:
- Hostinger: How to Locate and Create the WordPress .htaccess File on cPanel and hPanel
- DreamHost: Password protecting your site with an .htaccess file
- [Video] HostPapa: How to Password Protect a Directory through cPanel
Pros of WordPress Password Protection
Despite ongoing efforts to replace password protection with more robust and reliable security solutions — such as two-factor authentication or location-based access approval — recent research notes that “password authentication is still ubiquitous.”
So why this continued passion for passwords despite their potential problems? It’s simple: Familiarity and ease of use. The mechanism for password protection is widely understood and easy to implement — and in many cases, more complex defense efforts can cause more problems than they solve.
1. Easy to Use
Passwords remain the most common form of digital security because they offer a low bar to entry. If you know the password, you’re granted access — if you don’t, you’re turned away.
2. Simple to Integrate
They can also be easily combined with other security solutions to improve overall defense. For example, current-generation smartphones often leverage both biometric technologies — such as fingerprint or facial recognition sensors — and password-based backups.
3. Can Reduce Security Risks
While passwords often get a bad reputation for being regularly compromised, much of this issue stems from poor password selection. If users select their preferred passwords carefully, don’t use them across multiple sites, and adopt a policy of regular password change, it’s possible to significantly reduce digital risk.
Potential Pitfalls of WordPress Password Protection
Passwords aren’t perfect, and for attackers looking to expend minimal malicious effort, they’re a potentially attractive prospect. In truth, however, the biggest risk comes not from external but internal factors — users who unintentionally stumble into three common pitfalls:
1. Poor Password Choice
No one wants to forget their password. As a result, it’s tempting to pick something simple and easy to remember — but this can rapidly get out of hand. Consider that the three most common passwords are “password”, “123456”, and “123456789”. While these are easy for users to remember, they’re also simple for attackers to guess.
2. Defensive Duplication
The average user has between 70 and 80 passwords — so it’s no surprise that password reuse and duplication is common. The problem? If attackers compromise one account or website using a duplicated password, they’ve potentially compromised dozens or more.
3. Static Security Practices
The sheer number of passwords required to navigate digital-first landscapes means that users are often reluctant to change login credentials. Many also use physical media — such as sticky notes — to remind themselves of specific site or account passwords. In both cases, the existence of passwords that aren’t regularly updated creates a potential security issue.
Keep it Secret, Keep it Safe
Despite potential pitfalls, passwords offer substantive protective benefits — so long as users avoid common letter and number combinations, don’t duplicate these defenses, and regularly update login credentials.
For WordPress website owners and administrators, meanwhile, the judicious use of passwords offers peace of mind by limiting access to reduce potential security risk.
This article was originally published in November 2020 and has been updated for comprehensiveness.