In Nginx , Security and WordPress Last updated:
Share on:
Cloudways offers managed cloud hosting for any size business to host a website or complex web applications.

You might have some sensitive page that you want to protect with the password. This is also known as Basic Authentication.

The good news is it’s possible, and it is super easy.

Why protect the webpage with a password?

Well, there could be many reasons, including.

  • Contain sensitive data on the page
  • The page is not ready, and you don’t want to make it visible publicly but share with someone

Whatever it is, let’s explore how you can protect.


Let’s take an example; I want to protect /client on, which means if anyone access should prompt for a password.


Let’s start with Apache first.

The first thing we need to create is a password file where all the credentials will be stored. The filename would be .htpasswd and you can place it anywhere on the server. I’ll create it under /etc/httpd/conf folder

  • You can create the file with the touch command
touch /etc/httpd/conf/.htpasswd
  • Let’s add the user who would be allowed to access /client. We need to use htpasswd command for this.
htpasswd /etc/httpd/conf/.htpasswd geekflare
  • The last section geekflare, is the user name. Change that with what you want and hit Enter.
  • Enter the password, and you will see a confirmation that the user is added.
[root@lab html]# htpasswd /etc/httpd/conf/.htpasswd geekflare
New password: 
Re-type new password: 
Adding password for user geekflare
[root@lab html]#

If you cat the file, you will notice the password is stored in an encrypted format. It is good!

[root@lab html]# cat /etc/httpd/conf/.htpasswd 
[root@lab html]#

Next, we need to instruct Apache to protect the URI we want.

  • Modify httpd.conf file or configuration file you are using for Apache instance. I am using default installation so I am using /etc/httpd/conf/httpd.conf
  • Add the following anywhere in the file
<Directory "/var/www/html/client">
Options Indexes FollowSymLinks
AuthType Basic
AuthName "Protected Content for Client"
AuthUserFile /etc/httpd/conf/.htpasswd
Require valid-user

If you already have /var/www/html/client Directory directive, then instead of adding a new section, you should just add the following in the existing directive.

AuthType Basic
AuthName "Protected Content"
AuthUserFile /etc/httpd/conf/.htpasswd
Require valid-user
  • Restart Apache
service httpd restart
  • Try to access the /client page, and it should be asking for a password.

  • Enter the credential you set earlier to view the content.

Fancy .htaccess method?

Sure, you can implement basic auth through .htaccess file as well. You still need to generate credentials using htpasswd as explained above. Once done, you can add the following in the respective folder’s .htaccess file.

AuthType Basic
AuthName "Protected Content"
AuthUserFile /etc/httpd/conf/.htpasswd
Require valid-user

The beauty is you don’t need to restart Apache.


Let’s implement Basic Authentication in Nginx by following.

We will take help from Apache Utils to generate the credentials. If the server doesn’t have Apache HTTP installed, then you need to install the utils separately as below. If unsure, you can execute htpasswd to see if it works. If it doesn’t, then you know you need to install it.


dnf install httpd-tools


yum install httpd-tools


apt-get install apache2-utils
  • Let’s create the credentials similar to how we did in Apache.
htpasswd -c /etc/nginx/.htpasswd chandan
  • Don’t forget to replace chandan with the real user name you want

Next, we need to configure Nginx, so it restricts the particular URI with the password.

  • Let’s assume we need to protect /admin URI
  • Add the following in nginx.conf or other active Nginx configuration file
location /admin {
auth_basic "Admin Area";
auth_basic_user_file /etc/nginx/.htpasswd;
  • Restart Nginx

What if you have to restrict the entire website getting served through Nginx?


Add the following in nginx.conf or active configuration file under location / { directive

auth_basic "Admin Area";
auth_basic_user_file /etc/nginx/.htpasswd;


The hosting platform has evolved. There are many platforms that offer handy tools, and SiteGround is one of them.

If you are using SiteGround to host your website, you can easily protect the URL from their admin console. Let’s assume you are using WordPress and need to protect /wp-admin.

  • Login to SiteGround and go to the site where you need to enable basic authentication.
  • Click on Security >> Protected URLs >> Users
  • Enter the name and password to create the credential

Next, we will protect wp-admin with the credential we just created.

  • Go to URLs tab
  • Enter wp-admin in the path and click protect
  • Click on Manage Access and assign the user you just created

Try to access the page, and SiteGround will prompt you to enter the credentials.

Easy, isn’t it?


Using WordPress and would like to password protect a particular post, page, category, by role, or the entire site?


Meet PPWP (Password Protect WordPress Plugin)

Install the plugin and configure the way you want to protect WordPress resources. This works with page builders such as Elementor, Divi, Beaver.

Alternatively, if you need a simple password-protected post or page, then you can take advantage of the inbuilt WP feature. You don’t need any plugin for this.

  • Go to the post or page you want to enable a password.
  • Under the publish section, click Edit next to visibility: Public
  • Select Password protected and enter the password.

  • Click, OK, and you are all set!

Need more ways to secure WordPress? Check out this guide.


If you are on shared hosting, then most likely you will have cPanel. The good news is cPanel offers a utility called Directory Privacy; from there, you can set a password for directory.

  • Login to cPanel
  • Search for Directory Privacy

  • Select the folder you want to protect. Like below, I’ve selected a folder called chandan, which is under public_html
  • Create the user which should be allowed and save

  • Once done, you will notice the folder has a lock

And, that’s it. The directory is password protected now. As you can see above, I’ve tested on A2 hosting, and it works great.


I hope the above helps you to protect certain URI, folder with the password using basic authentication. If you are looking for comprehensive website security, then you should consider implementing WAF.

Share on:
  • Chandan Kumar
    Chandan Kumar is a seasoned technology enthusiast and entrepreneur passionate about empowering businesses and individuals globally. As the founder of Geekflare, a leading technology publication, Chandan has spearheaded the development…

Thanks to our Sponsors

More great readings on Nginx

Power Your Business

Some of the tools and services to help your business grow.
  • The text-to-speech tool that uses AI to generate realistic human-like voices.

    Try Murf AI
  • Web scraping, residential proxy, proxy manager, web unlocker, search engine crawler, and all you need to collect web data.

    Try Brightdata
  • is an all-in-one work OS to help you manage projects, tasks, work, sales, CRM, operations, workflows, and more.

    Try Monday
  • Intruder is an online vulnerability scanner that finds cyber security weaknesses in your infrastructure, to avoid costly data breaches.

    Try Intruder