How to Password Protect Directories and Manage Access in cPanel

Password protecting directories is a server-level security measure that restricts access to specific sections of your website. Unlike application-level authentication (such as WordPress login), directory-level protection uses Apache's built-in authentication mechanism, making it robust and independent of your website's CMS. This guide covers how to set up, configure, and manage directory protection using cPanel.

Method 1: Using the cPanel Directory Privacy Tool

cPanel provides a user-friendly interface called Directory Privacy (found under the Security section) for setting up password protection without manually editing configuration files.

Step-by-Step Setup

You can create multiple users for the same protected directory by repeating Step 4 with different usernames. This is useful when you need to provide access to multiple team members with individual credentials.

Method 2: Manual .htaccess Configuration

For advanced users who need more control over the authentication behavior, you can manually configure directory protection using .htaccess and .htpasswd files.

Creating the Password File

First, generate a password hash. You can use cPanel's Terminal or an online htpasswd generator. The password file should be stored outside of your public_html directory to prevent direct web access.

Creating the .htaccess Rules

In the directory you want to protect, create or edit the .htaccess file and add the following directives:

AuthType Basic specifies the authentication method. AuthName sets the text displayed in the login prompt. AuthUserFile points to the password file containing the hashed credentials. Require valid-user means any user in the password file can access the directory.

Protecting WordPress wp-admin

Adding an extra layer of password protection to your WordPress admin area (/wp-admin) is an excellent security measure that blocks brute-force attacks before they even reach WordPress. However, this requires special configuration because WordPress uses AJAX requests that need to pass through the wp-admin directory.

This exception ensures that AJAX-dependent features (such as media uploads, auto-save, and plugin functionality) continue to work correctly while the rest of wp-admin remains password protected.

Allowing Specific IP Addresses

You can combine password protection with IP-based restrictions to create a whitelist approach. This is particularly useful for admin areas that should only be accessible from your office network:

With this configuration, users connecting from the allowed IP addresses can access the directory without a password, while all other visitors must authenticate.

Removing Password Protection

To remove directory protection through cPanel, go to Security → Directory Privacy, select the protected directory, uncheck Password protect this directory, and save. If you configured protection manually, delete or comment out the authentication directives in the .htaccess file.

Troubleshooting Common Issues

500 Internal Server Error After Setup

This usually indicates an incorrect path in the AuthUserFile directive. Verify the full absolute path to your password file. The path must be the server's filesystem path, not a URL.

Login Prompt Appears Repeatedly

This means the credentials are not being accepted. Verify that the username exists in the password file and that the password was correctly hashed. Recreate the user through the Directory Privacy tool if needed.

AJAX or Dynamic Features Break

If you protected a directory that handles AJAX requests (like wp-admin), you need to add exceptions for the relevant files. See the WordPress section above for the correct exception syntax.

For further reading, visit the cPanel Directory Privacy documentation and the Apache Authentication and Authorization documentation. For assistance, open a support ticket at billing.sakurahost.co.tz.