I’ve come across this problem a number of times, of course each time I think “this will be fixed next time”.  Unfortunately it’s not the case.  What’s the problem then?

You have a directory that you want to password protect, lets call it “secrets”.  It resides in /home/mysite/public_html/secrets/ on the server.  Now fortunately you are using a hosting control panel like cpanel and you’ve password protected directories before (if not then have a hunt on this site or on google!).

Before you activate the protection you can view the contents fine, so you activate protection – driven by a .htaccess file… and then rather than being asked for your username and password, you get a 404 or a 403 message from wordpress “Sorry the page you are looking for cannot be found”.

Intrepid system administrators hunt through error logs, and sure enough the access log is recording a 404… however the error log is recording something different.

Permission denied: /home/mysite/public_html/secret/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable

This error message has had a number of solutions in the past, including the infamous “reinstall frontpage extensions”, except these are long gone – not supported and never will be again, please don’t go installing them just to get past this problem! – It will end in tears.

Instead you just need to add a couple of lines to the wordpress .htaccess file in the root of your site (e.g. /home/mysite/public_html/.htacess). Go to the file and just before the main WordPress part

#BEGIN wordpress – add the following

ErrorDocument 401 /%{REQUEST_URI}/errors.html
ErrorDocument 403 /%{REQUEST_URI}/errors.html

This should set the site to working, now why does this work?

Simply put wordpress is often run with a pretty url mode (permalinks) where the addresses for posts are made to look more pretty.  When you request your secret directory the server tries to access it, looks at the .htaccess file and promptly tries to do a redirect, this invariably ends up at a page wordpress cannot access – this doesn’t happen without the .htaccess as wordpress allows access to existing real files, but the htaccess security says the file doesn’t exist until the password is entered and so it intercepted.

It’s all a bit confusing, however adding these lines essentially means wordpress can get out of the way when those errors occur, 401 and 403 are authorisation required or failure codes, so wordpress will ignore and the htaccess can safely challenge your.


Hopefully this will help if you come across this problem.