How To: Fix WordPress 404 Errors on Password Protected Directories

Using WordPress’s permalink feature seems to cause some issues with password protected directories that use Apache’s .htaccess to handle authentication. I recently had to troubleshoot why after installing WordPress on the root level of the domain that a password protected directory would return a 404 page instead of the typical login box.

The problem comes from the Apache rewrite engine that WordPress uses to make search engine friendly URL’s. WordPress uses a .htaccess file in the root folder of the install to take any URL and allow WordPress to process and serve the appropriate page, or error.

What Exactly Is Breaking User Logins

In this condition the Web server thinks that the HTTP data stream sent by the client (ex. a web browser) was correct, but access to the URL requires user authentication which has not yet been provided or which has been provided, but failed authorization tests. This is commonly known as “HTTP Basic Authentication” or HTTP Error 401 Unauthorized.

Generally this error message means you need to log on (enter a valid user ID and password) somewhere first. If you have just entered these and then immediately see a 401 error, it means that one or both of your user ID and password were invalid for whatever reason (entered incorrectly, user ID suspended etc.).

Let’s Fix Directory Listing Too

Another issue could be a HTTP Error 403 Forbidden. The Web server thinks that the HTTP data stream sent by the client (ex. your web browser) was correct, but access to the resource identified by the URL is forbidden for some reason. The most common reason for this error is that directory browsing is forbidden for the Web site. Most Web sites want you to navigate using the URLs in the Web pages for that site. They do not often allow you to browse the file directory structure of the site.

Understanding What it All Means

Now that we know what is causing the errors it is time to fix them. We will perform the solution by placing a couple of ErrorDocument handlers at the top of the .htaccess to pre-empt the WordPress .htaccess rules.

There are a couple of scenarios we will be preventing WordPress from handling. If there are 401 errors (directory authentication) it will send the user to an error page. If there is a 403 error code (a forbidden directory situation) it will send the user to an error document as well. The WordPress permalinks rule never gets processed and will be ignored for these two errors.

Editing the WordPress .htaccess is Simple Solution

The first thing you need to do is locate your WordPress directory. This is often either your www directory or public_html directory. Locate your .htaccess file and open it using any text editor. If you do not see this file you can simply create one using any text editor (such as Notepad on Windows).

Update the .htaccess file before the WordPress information and add the following two lines of code:

ErrorDocument 401 ./error.html
ErrorDocument 403 ./error.html

The finished .htaccess should look like:

ErrorDocument 401 ./error.html
ErrorDocument 403 ./error.html
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress


Make sure your FTP program is set to upload as ASCII. Upload the .htaccess file to your home directory (often public_html or www). You can also upload an error.html to the root directory.

Attempt to access a directory that is password protected will now give you the popup box you were expecting in the first place, so you can enter your login credentials and gain access as normal.

We also learned how to process 401 and 403 errors in the process using Apache’s ErrorDocument directive using .htaccess in the process.

41 thoughts on “How To: Fix WordPress 404 Errors on Password Protected Directories

  1. Yep O This is Just what I needed … My WordPress was installed in the root /public_html folder so
    but I also had a folder in there called members …that was password protected
    by its own .htacces folder:

    I then Found this Lovely Bit of info 🙂
    and just copied: To my roots .htaccess folder i found it a bit strange because there is no such file as error.html …but what ever

    ErrorDocument 401 ./error.html
    ErrorDocument 403 ./error.html
    # BEGIN WordPress

    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    # END WordPress


  2. Pingback: Inhoud van aangepaste map browsen in een Wordpress website

  3. Thank you! A nice and simple solution to a problem that’s been bugging me for two nights now. It was surprisingly hard to come by solid information on the subject. You also helped me tidy up my .htaccess file and gained a new subscriber. 🙂

  4. I searched “password protected directories 404” (no quotes) in Google. Your article is #1 and I am glad of it.

    I have a fair number of sites floating’ around these days. Couldn’t figure out why the password protect feature wouldn’t work for some.

    It was the WordPress in the root causing what I assumed was a 404.

    Thank You for the enlightenment and the solution!

  5. Your fix worked perfectly on my WordPress site. I don’t know how you figure this stuff out but I’m glad you’re generous with your knowledge and time.

    I wasted hours “trouble shooting” the problem until I looked for help and found your site. Very nice!

    Thank you so much.

    Bill P.

  6. i have my website with permalink, till now everything was fine, but few days before i changed my permalink, now everything is going wrong, now each and every page i am getting 404, even my about-us and contact us pages, they are giving me 404 page if i come to my site from google or any search engines, then also it gives me 404 i have 1000+ posts on my website, for each post & page from google i get 404 page, but within the website except pages i get no 404 page my previous permalink was, %postname%/%category%/

    now i added custom taxonomy to my permalink, so it is %location%/%courses%/%postname%
    how can i change ?????

  7. Pingback: The Onion » The Fix:

  8. Thank you so much for posting this. I followed your steps for my site as well, but it seems that it is not working, although I do get prompted for username/password, every time I put them in, it just does not open the folder, rather showing the login screen again.

    This is my link:

    Any ideas?

    Server is Linux/cPanel.


  9. Thanks Gino. Again I am someone else your info has helped, very good, I was almost giving up on the problem! Some notes that may be useful to other folk….

    My WP site was installed in the root public_html folder (hence this whole problem as explained by Gino).
    I used PuTTY to get shell access to my web space, made a backup copy of my already existing .htaccess, then used “vi” to edit the .htaccess file.

    I also added a change recommended on another website to the line
    RewriteRule . /index.php [L]

    changing it to
    RewriteRule ./ /index.php [L] (note the extra slash)

    But the key to really making it work was your info about adding the pointers to the error 401 and 403 pages (I logged into my cPanel and used the convenient Advanced->Error Pages feature to create the pages in root public_html folder) and then added:-
    ErrorDocument 401 /401.shtml
    ErrorDocument 403 /403.shtml

    into the top of my my .htaccess file. Note cPanel created these as .shtml files in my site ROOT (public_html), so the actual error page is /401.shtml (not ./ and change .html to .shtml). These are subtle changes people not Linux savvy should be aware of.
    Thanks again
    PS. Time to clean up some of those annoying spam comments above!? 😉

    • Actually after additional testing I wanted to add that changing the RewriteRule to include the extra slash (RewriteRule ./ /index.php [L] ) broke other features of my site like sitemap generation! I put it back to RewriteRule . /index.php [L] and sitemap works correctly now and more importantly the password protection still works properly.

  10. Pingback: Reference Managers | Robert P. Allred, PhD

  11. Making use of Aptoide for PC has actually been enabled by using Android emulators like BlueStacks, Andy, as well as Remix OS. Before going through the installation directions, allow’s learn a bit regarding this application.

  12. Control the rate of your video with slow/fast motion control with playback arrangement up to 0.2 secs. As well as attributes a number of functions like reverse & blurred background, voice improvement & audio speed change and the edits can be previewed in WYSIWYG user interface.

Leave a Reply

Your email address will not be published. Required fields are marked *