Sometimes you need to hide your site entirely from unauthorized visitors — for example, during active development or staging. The quickest and most reliable way to do this is with HTTP Basic Authentication using .htpasswd and .htaccess.
Problem: A WordPress site under development or on a staging server needs to be completely hidden from the public — search engines, clients, and random visitors — without installing a plugin.
Solution: Use Apache's built-in HTTP Basic Authentication — create a .htpasswd file with a hashed password using the htpasswd utility, then add an AuthType Basic directive to .htaccess so the server requires a username and password before serving any page.
Step 1. Connect to your server over SSH:
ssh user_name@host-name.comStep 2. In the web root, create the .htpasswd file. Replace user_name with the login you want, then enter the password when prompted:
htpasswd -c .htpasswd user_nameStep 3. Open (or create) the .htaccess file in your web root:
vi .htaccessStep 4. Add the following configuration. Make sure to replace the path in AuthUserFile with the actual absolute path to your .htpasswd file on the server:
Order deny,allow
Deny from all
RedirectMatch 404 /\.(svn|git|hg|bzr|cvs)(/|$)
RedirectMatch 404 /README.md$
AuthName "Authorization required!"
AuthUserFile /home/user_name/.htpasswd
AuthType Basic
Require valid-user
# Allow from 8.8.8.8 # Uncomment and replace with your IP to bypass auth for that address
Satisfy Any
# BEGIN WordPress
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPressOnce saved, any visitor will see a browser-native login dialog before reaching any page on the site. The Satisfy Any directive combined with the commented Allow from line lets you whitelist your own IP so you can browse without a password prompt.
NOTE: The AuthUserFile directive requires an absolute server path, not a URL. If you are unsure of the path, run pwd inside the web root directory while connected via SSH.