How to Password Protect a Directory in cPanel
A staging folder, a client proofing area, an admin tool you don't want indexed by Google - sometimes you need a directory locked behind a login prompt that has nothing to do with WordPress or your CMS. cPanel has a built-in feature for exactly this, and it takes about two minutes to set up. Here's how to do it properly, and what to check when it breaks something else on the site.
What Directory Privacy Actually Does
cPanel's "Directory Privacy" feature (older themes call it "Password Protect Directories") drops an .htaccess file into the folder you pick, pointing at a separate .htpasswd file that stores the username and an encrypted password hash. When a browser hits anything inside that folder, Apache challenges it with a plain login box before serving a single file - this happens at the web server level, before PHP, WordPress, or any application code even loads.
That last part matters. It's not a login form, it's HTTP Basic Authentication. There's no "forgot password" link, no styling, and no way to protect only some file types inside the folder while leaving others open - it's all or nothing for everything under that path.
When to Use It (and When Not To)
- Good fit: a staging copy of a site you don't want search engines crawling, a folder of client proofs or invoices, an internal tool or dashboard, a backup directory you occasionally browse via URL.
- Bad fit: your entire website root if it runs WooCommerce, has a REST API, or receives webhooks/callbacks from payment gateways - Basic Auth will block those requests too, and you'll spend an hour figuring out why PayPal IPNs stopped arriving.
- Not a replacement for: real user accounts. If you need per-user roles, self-service password resets, or an audit trail, use your application's own login system instead.
Step-by-Step: Setting It Up
- Log in to cPanel and open Directory Privacy (search the top bar if you don't see the icon - it's usually under the Files section).
- Click through the folder tree to the exact directory you want to lock, then click its name (not just the folder icon) to open its settings.
- Check "Password protect this directory" and give it a label - this is just a display name for the login prompt, not a username.
- Click Save, then scroll down to "Create User" and add a username and a strong, unique password. Click Save again.
- You can add more than one username/password pair here if several people need access with their own credentials.
Behind the scenes, cPanel writes an AuthType Basic block into the folder's .htaccess and stores the credentials in a .htpasswd file, usually placed outside the web root (something like /home/username/.htpasswds/public_html/foldername/passwd) so it can't be downloaded directly.
Testing It
Open the folder URL in a private/incognito window - your regular browser may cache old sessions and not show the prompt. You should get a native browser dialog (not a styled web page) asking for a username and password. Enter the credentials you just created; you should land on the folder's contents. Wrong credentials should return a 401 Unauthorized, not a blank page or a redirect.
Common Problems After Enabling It
| Symptom | Cause | Fix |
|---|---|---|
| 500 Internal Server Error on the folder | An existing .htaccess in that folder had rules (rewrites, WordPress permalinks) that conflict with the new auth block, or the .htpasswd path is wrong | Open the folder's .htaccess in File Manager and confirm the AuthUserFile path matches where cPanel actually saved the .htpasswd file |
| Login prompt never appears, page just loads | The directory is served through a CDN or reverse proxy (e.g., Cloudflare) that's caching the response from before protection was enabled | Purge the cache for that URL, or set a Cloudflare page rule to bypass cache for that path |
| AJAX calls or a REST API under that path start failing | Basic Auth blocks every request, including background XHR/fetch calls your app makes to itself | Move the protected folder so it doesn't sit above any path your app calls internally, or protect a narrower subfolder instead |
| Search engines stop indexing pages there (on purpose or not) | Googlebot gets the same 401 challenge as everyone else and can't crawl past it | Expected behavior if this was a staging area; if it wasn't supposed to be crawled anyway, add a noindex too as a backup |
| Prompt keeps reappearing every few minutes | Basic Auth credentials aren't a persistent session - some browsers re-prompt after tab restarts or long idle periods | This is normal behavior for HTTP Basic Auth, not a bug - there's no session timeout to tune |
Removing Password Protection Later
Go back into Directory Privacy, select the same folder, and uncheck "Password protect this directory," then save. cPanel removes the auth block from .htaccess automatically. If you had custom rewrite rules in that .htaccess before you protected the folder, double-check they're still intact afterward - it's rare for cPanel to touch them, but it's worth a quick look before you walk away.
Prevention: Get the Scope Right the First Time
- Protect the narrowest folder that actually needs it - a
/staging/or/private-docs/subfolder, notpublic_htmlitself, unless you genuinely want the whole site gated. - Never store the
.htpasswdfile inside a web-accessible path with a predictable name - cPanel already handles this correctly by default, so don't move it manually. - Use a password manager to generate and store the credentials; Basic Auth has no reset flow, so losing it means going back into cPanel to reset it manually anyway.
- If the folder needs to accept automated requests (webhooks, cron-triggered scripts, API callbacks), protect a different folder or whitelist those specific files with a separate rule instead of the whole directory.
Frequently asked questions
Does Directory Privacy work with WordPress admin folders like wp-admin?
Technically yes, but be careful. Protecting wp-admin with Basic Auth on top of the normal WordPress login adds real security, but it will also block admin-ajax.php calls that some plugins and themes rely on for front-end features, since that file lives inside wp-admin. Test your site's front end thoroughly after enabling it, or protect wp-login.php specifically instead of the whole folder.
Can I password protect a directory without cPanel, using SSH instead?
Yes - you can generate the .htpasswd file yourself with htpasswd -c /path/to/.htpasswd username and add an AuthType Basic block to the folder's .htaccess manually. cPanel's Directory Privacy tool just automates this and stores the file outside the web root for you, which is why most people use the GUI instead.
Will this slow down the protected folder?
No. HTTP Basic Auth is a lightweight check Apache does before serving the request - there's no measurable performance cost. The only overhead is the one extra round trip for the login prompt itself, which only happens once per browser session.
I forgot the password I set - how do I get back in?
There's no recovery link. Go back into cPanel's Directory Privacy tool, select the protected folder, delete the existing user under it, and create a new username and password. This immediately replaces the old credentials.
Does this protect the folder from search engines and bots too?
Yes, any automated crawler that can't authenticate gets the same 401 response as a regular visitor, so protected folders effectively stop being indexed. That's often a bonus for staging sites, but keep in mind it also blocks legitimate services like uptime monitors or webhook callbacks unless you exclude them.