Home  »  WordPress  »  AskApache Password Protection, For WordPress

by 138 comments

AskApache Password Protect ScreenShot 1AskApache Password Protect adds some serious password protection to your WordPress Blog. Not only does it protect your wp-admin directory, but also your wp-includes, wp-content, plugins, etc. plugins as well. Imagine a HUGE brick wall protecting your frail .php scripts from the endless attacks of automated web robots and password-guessing exploit-serving virii. Forget spam, these millions of zombie bots are too outrageous to ignore, they are attempting known (but strangely outdated) exploits looking for known vulnerabilities against blogs and other Internet software. Sooner or later some poor blogger is going to miss an upgrade and become a victim to this type of video-game-like-attack.


Of course this would never be able to stop real hacker intent on taking over your blog, if you are connected to the net on a public line, of course you coun't stop them. The people who are attacking the blogosphere are for the most part just playing. They "hack" code that "exploits" a "vulnerabiliity" in some open-source software like phpBB or WordPress. Those people actually help the community of open source software like WordPress by finding security issues and bringing them to light.. So who is this plugin built to stop? It's built to stop the people who are trying all the time to maliciously crack into YOUR average blog. Why would someone want to hack an AVERAGE blog like mine or yours? Well the answer is that its not an actual group, entity, or person who is going to try hacking into your blog. Its an army of robots.. and they will never stop the attack.

So how do these robots attack us? What is their ammo? Their ammo is very specific knowledge of exploiting security holes in very specific software to "crack" your blog. Vulnerabilities are discovered all the time, mostly small ones, but those vulnerabiilties that are dangerous to those of us running WordPress 2.5 are LETHAL to those of us running 2.1.. just absolutely deadly. So These robots are programmed to do one thing and one thing only, try the exact same exploit that would work against 2.3 against every computer on the internet, as fast as they can and as anonymously as they can.. terrorizing the networks with these non-stop requests and slowing down the whole internet, which hopefully will start getting faster as more people use this plugin. Robots have no choice but to leave my servers alone. They understand what a 403 Forbidden means, to them it means take me off your list, the exploit I'm carrying is not compatible. But once again, this will not stop a hacker, this will stop 99.9% of the same bots that "hacked" 99.9% of the blogs.


AskApache Password Protect ScreenShot 1This Plugin will make alot of the bots out there stop coming back, and I have found this exact type of security setup to be a great insurance policy against these types of brainless zombie bots. A few years ago I had implemented this password protection on a forum I was the security admin for, and it didn't seem like a big improvement to very many people. The forum software we were running was phpbb, and during that Christmas break we weren't even thinking about the forums. When we got back though the whole place was in an uproar. Some kid sent out a million of these zombie robots with a single payload- an exploit that he knew would successfully penetrate the forum's defenses. It did.

It was like a tidal wave across the world, thats how many of these phpBB forums were hit. Thankfully all the kid did was copy the entire forum into a kind of book format, and sell it on ebay. Anyway so we looked at the logs for our server and forum, and we saw he had tried the exact same thing against us... and he did have our forum software defenses beat... You see he had his target all scoped out and meticulously researched, a nice fat range of forums needing an upgrade.. As long as they could get to the inner door (admin login) they could knock it down in seconds and own the whole thing.

Everything about the attack on our server was incredibly smooth and fast, hacked past the user login and then flew straight towards the admininstrator login... then, out of nowhere they got b**slapped because they ran full-speed into a wall that seemingly came out of nowhere, and thats exactly the same thing that you will have after installing this plugin. Its like being surrounded by a smal army, a sniper can still get you, but you can forget about the ground troops (zombies ech)

If you are worried about your WordPress blog getting hacked, this can help immensely. It adds a 2nd layer of security to your blog by requiring a username and password to access anything in the /wp-admin/ folder.

The plugin is simple, you just choose a username and password and you are done. It writes the .htaccess file, without messing it up. It also encrypts your password and creates the .htpasswd file, as well as setting the correct security-enhanced file permissions on both.

This plugin automatically picks all the right settings for where to save the .htpasswd and .htaccess files, but you can easily change those settings to anything you want. You can change it whenever you want right from your WordPress Admin Panel.


New .htaccess security modules for wp-includes and wp-content

WordPress 2.5 Compatible - AskApache Password Protect


Download the AskApache Password Protection Plugin


  1. to the /wp-content/plugins/ directory
  2. Unzip
  3. Activate
  4. Setup

Frequently Asked Questions

Do I have to type in my username and password every admin page?

No. You just have to type it in once and it will keep you logged in until you close your browser.

How Secure Is It

In Basic HTTP Authentication, the password is passed over the network not encrypted but not as plain text -- it is "uuencoded." Anyone watching packet traffic on the network will not see the password in the clear, but the password will be easily decoded by anyone who happens to catch the right network packet.

WordPress Codex Security Articles

  1. Limiting access: Making smart choices that effectively lower the possible entry points available to a malicious person.
  2. Containment: If a weak point in your installation is found by a malicious person, your system should be configured to minimize the amount of damage that can be done once inside your system.
  3. Knowledge: Keeping backups, knowing the state of your WordPress installation at regular time intervals, documenting your modifications all help you understand your WordPress installation.


March 29th, 2008

Comments Welcome

  • Martha

    hi nice post, i enjoyed it

  • Greyson

    hi i enjoyed the read

  • Roland Rust

    great work! and thanks for you comment on

    I actually was thinking of a http-authentication plugin, but the weired setup of my host's machine doesn't allow for certain statements within the .htaccess file. It results in an Error 500. That's why I did "Demo Mode".

  • MrGroove

    Thnx for the write-up. Take a look at for details on password protecting pages and directories for both LINUX and Windows boxes hosting apache.


  • Grant

    Hi there

    I installed the plugin, activated it and turned it on by adding a username and password. When it asked for my username password and I typed in the same one I had entered earlier it wouldn't give me access, just kept asking for my username password.

    I noticed once the plugin was turned on that it said it hadn't written the .htpasswd file.

    How do I get access back and get the plugin working?

    thanks, Grant

  • AskApache

    @ Grant

    I hope you got my email!

    So sorry!

    Just edit your .htaccess file, using eith SSH, telnet, or good old FTP. Remove the part the plugin added. I updated the plugin just yesterday so you might want to deactivate the plugin, download the newest version, and then try it.

  • sara

    It password protects my admin panel....not my blog. Have I done something wrong or is this what the plugin is designed to do?

  • AskApache

    @ sara

    please read the Description

    It adds a 2nd layer of security to your blog by requiring a username and password to access anything in the /wp-admin/ folder.

  • Elaine Vigneault

    Thanks for writing this plugin.

  • KMiNT21

    Useful plugin, thank you.

  • fruityoaty

    I installed it, but that "Authentication Required" window doesn't pop up AT ALL in Firefox 2 or IE 7 (that window that asks for name and password)!

    Now I can't even access my wp-admin URL. It keeps redirecting to home page. I tried deleting the plugin, but I'm still locked out of my WordPress admin. What do I do? Help!

  • Maaike

    Is it possible to protect another folder then the admin folder? I want myphotos folder proteced with a password. The 'normal' page protection doesn't work. Now it is possible
    to send the pictures' url to someone and you can get in. So I'm searching how to
    protect it with .htaccess.

  • AskApache

    Also read the great, fantastic PDF from blogsecurity, Securing WordPress Blogs

  • Chaz

    Bug? The plugin itself doesn't like it when tell AskApache that you want the password outside of the htdocs folder (example /Library/WebServer/ ranther than /Library/WebServer/public_html/blog/ ) If you have the .aahtpsswd outside of the htdocs it can't be accessed by a web surfer, but it CAN be access by the web SERVER. Just make sure your giving it an absolute path int the .htaccess file.

    Hope thhat helps. I also had to CHMOD 777 to freakin everything. Even after following examples in your ultimate guide and from BlogSecurity. WordPress, it's themes and plugins just didn't like any access limitations. hmmmm, let me make sure the ownership is correct since I didn't not "upload" the files, just copied them locally.

    Maybe you should include a small segment on file ownership, eh?


  • lubos

    really nice plugin. i am not sure whether you know it, but in the standard setup (e.g., .aahtpasswd in the root of your web blog), wp-scanner complains about exposed dangerous files (.aahtpasswd world readable). it's probably the best solution to put it somewhere else, where it's not readable by the browser, but where it's still accessible by the server (as suggested also in #23), e.g., to the home directory

  • Aron

    How do you undo this plugin? I forgot the username and password I setup. I deleted the plugin folder and all the htaccess htpasswd files and it still askes to login before getting to wordpress's admin screen. please help i locked myself from wp.

  • Stephen Cronin

    Okay, great idea - but it's not working for me. I don't get the "Authentication Required" window, it just throws a 404. This is occurring in FireFox, IE7 and Opera 9.23 on XP SP2.

    I've verified that the two files exist (.aahtpasswd and wp-admin/.htaccess) and that they have the correct content (as per the options screen).
    Okay, the solution to the 404 problem I mentioned in my previous comment works for me. The article had

    ErrorDocument 401 /myerror.html
    ErrorDocument 403 /myerror.html

    to your .htaccess file and create a static file called myerror.html.
    If you don't want it in your public_hmtl folder, then you can put it in a folder and add the folder's name to the two lines, ie:

    ErrorDocument 401 /[foldername]/myerror.html
    ErrorDocument 403 /[foldername]/myerror.html

    This seems to fix the problem, at least for me, but I'm not sure what impact it may have on other things (ie by having 401 and 403 go to the new file rather than WordPress handling it).

  • Dave J. (Scoop0901)

    Great plugin! Thanks for creating it. I like the idea of that second layer of protection being there.

    Now I have one question, as hopefully there's an easier way: How does the admin easily change the passphrase?

    My solution was to delete the files from the server, delete (actually, rename) the plugin, play in the MySQL database for a bit, re-add the plugin (change the name back to the original name), and re-activate it, which then allowed me to change the password. Surely there's a simpler way.

    Again, thanks for creating this. It's a great extra step.

  • Dave J. (Scoop0901)

    Nevermind. Sometimes the simplest idea is never pursued. Yes, I just found clicking the "DISABLE PROTECTION" button brings you back to the scren to reset the passphrase and username.

    Argh. Let me go drive my head in the sand. Who looks for simple? :D

  • Violet

    I love your produce but the music on your site is...... somewhat distracting..... especially since a visitor has to shut it off each time they visit a page....

    This makes it a little difficult to absorb the width and depth of your obvious brilliance.

    I hope this sounded "diplomatic".

  • jakub gawkowski

    Nice tool, but by default unsecure. Default .aahtpasswd is readable by apache.

    Simples workarounds:

    1. change .aahtpasswd to .htaapasswd in configuration and plugin source (.ht must be first)
    2. update apache configuration follow below
    Order allow,deny
    Deny from all
  • Matt

    Thanks for the great plugin. It seems to be working fine now. I finally got it installed after trying a bunch of stuff. The key to getting it to write the .aahtpasswd and .htaccess files was changing permissions on root, wordpress and wp-admin folders to 777 for the install and then back to 755 afterwards.

  • jason

    In case anyone else has the following issues.

    First: I'm using's implementation of Apache/MySQL/PHP for Windows, Wordpress 2.3.3, and AAPP 2.0.

    By default the plugin does not work with my implementation. When I activate the plugin and set it up I am unable to log in...instead I'm given a 500 page. When I'm finally able to get the authentication window it fails to authenticate me even if my username and password are correct.

    To fix the first problem I remove the AuthGroupFile line all together
    To fix the second problem I simply recreate my users password by opening a command prompt or shell in the same directory as the .aahtpasswd file (which should be out of the web root btw) and then running 'htpasswd .aahtpasswd use_your_username_here'.

    I haven't debugged the reason why the password is wrong, however resetting it manually works just dandy. Thanx for the great plugin!

  • deshoda

    Hello i installed this plugin and i was totally locked out of my admin.

    It didnt even prompt me for the password i had entered.

    So i had to delete the two htaccess files and now im getting the error:
    Internal Server Error

    The server encountered an internal error or misconfiguration and was unable to complete your request.

    Please contact the server administrator, and inform them of the time the error occurred, and anything you might have done that may have caused the error.

    More information about this error may be available in the server error log.

    Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the reques

    any ideas as to how to undo the work of this plugin

  • Aseem N

    I am getting this error on going to the options page after installing the wordpres plugin.

    Wordpress is just freshly upgraded.

    Call to undefined function: wp_localize_script()

  • AskApache

    @ Assem

    I can't explain that one.. wp_localize_script has been defined since version 2.2! I checked!

    I did make a fix for it though, so redownload the new version.

    Also- Keep reporting any and all bugs!

  • jez

    well, the 2.x version worked fine, now with the 3.x version I get
    Error Creating

    FATAL ERROR! response code: 404
    My thorough testing shows your server isnt good enough to to handle .htaccess / .htpasswd files. Switch to Apache

    - tried the chmodding to 777 and forth and back, manually creating the files and deleting again. I really liked the additional security this plugin offers, not sure why this is freaking out now.

    maybe apache can help?

  • jez

    problem sorted out, the httpdocs (root) had also to be 777, as well as the wp-admin, seems like I missed one folder either way when fiddling around.

    nice plugin, I appreciate it, keep up the good work sir!

  • Dan

    I get (rather arrogantly) told...

    Error Creating /web/builder/.htpasswdaa1

    FATAL ERROR! response code: 404
    My thorough testing shows your server isnt good enough to to handle .htaccess / .htpasswd files. Switch to Apache

    But that simply is not true, I am on an apache server, (a very good one) but all the normal port settings have been changed to make the server more secure. Could this be the problem?

  • Dan

    Am I understanding this correctly?

    People think they are securing their site by making folders 777 permission? I hope everyone who has done that knows that 777 permissions will make your installation very insecure.

  • Alessandro Ferraresso

    I had to fix the code to prevent the file_put_contents() error.
    Now the options page is displayed correctly, but I get the following message: "Error Creating test pages for HTTP Authentication Enabled Test!"

    Does it have to do with my .htaccess file permissions? Please drop me a line if you know the answer!

    Great job anyway, hope I'll get it to work soon!
    Greetings from Italy!

  • Stephen Cronin


    That was my comment you referenced - and no there's been no solution yet. AskApache feel free to correct me if I'm wrong!

    However, I'm pretty sure it's something to do with my web host. I get the same problem if I turn on Password Protect Directories through CPanel. That's doing the same thing as the plugin, but the plugin is not involved - indicating that it's something to do with the server.

    I reported it to my host, but they want me to activate the protection and leave it in their hands to investigate further. That involves locking myself out of the Admin area until their finished and I haven't found a good time to do this!

  • Scot

    I too am having the 404 problem after activating the plugin and setting up a user. I'm sure it's a host issue and this occurs when I password protect the wp-admin directory using their control panel as well. However, any suggestions on why adding .htaccess password protection to the wp-admin folder would throw a 404 error? Other instructions contained within the .htaccess file in wp-admin do not cause the 404, seemingly only the password protection does.

  • ed

    Thanks Boss
    Installed fine but one problem:
    When a user registers and clicks on the URL that is included in the email he is prompted with the Wordpress login; when they login they are automatically redirected to the url wp-admin/profile.php which is of course protected.
    Can I change this behaviour?


  • Stephen Cronin

    For those with the 404 problems, I found an article which seems to discuss it in depth at:
    WordPress admin password protection 404.

    The article's not related directly to this plugin, but it's the same problem. I haven't tried any of the suggestions yet myself, but will do so sometime in the next week or two. I thought I'd post the link in case anyone is wants to try it quicker!

    AskApache - you may want to have a look at this too, out of interest... Not sure if there's anything your plugin can do to get around this, but you never know.

  • Russell W

    This is a solid piece of work, but I'm actually looking for something a little *less* stringent. Is there anyway to manipulate this plugin so that it will password protect a specific public post? Wordpress 2.3+ had post-level passwords but they stunk. And 2.5 appears to have done away with the option completely!

  • Roy

    I just noticed that a direct request for
    doesn't get blocked. The same goes for

    Those paths are the same for all WP installations. Of course a hacker wouldn't be able to work if (s)he found out how to login, but I still wonder if it is smart to leave these pages open for someone to just try. Can't the wp-login.php not just be behind the password too?

  • Matt

    Last time I tried AskApache PassPro I was not able to make it work with another scheme that I already had set up called, “Hiding WordPress Installation Files”

    My question is this, Do you think the AskApache protection is more important that the protection provided by hiding the WordPress installatin files? Thanks.

  • jason

    obscurity does not beat strong authentication from a security point of view. this is not to suggest that obscurity does not provide a value, simply that I'd rather put my stock behind a strong password and an effective password protection system, than attempting to hide my files. The Word-Press site itself makes mention of this : Hardening WordPress


  • AskApache

    @ Marcus

    Thanks! fixed.

    @ Matt

    Whoa.. this is actually not a good thing to do. I am assuming that your blog is at not

    1. This will 301 (permanently) redirect everyone who attempts to visit ANY page or post on your blog to
      1. Anyone who clicks on a link to your blog from a google search result or any search engine result will be redirected to your
      2. This will totally remove all posts and pages on your blog from ANY search engine index because the search engine robots crawl your site using blank referrers.
      3. This will block your Google Adsense from working because the Adsense robot uses a blank referrer.
    2. Anyone who would be attempting to hack your blog would be smart enough to instantly recognize that a referrer is needed and that is very easy to spoof. Most automated web scrapers and bots automatically spoof the referrer header so this doesn't even block those.

    Another issue with this is that your code can be improved to:

    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{HTTP_REFERER} !^http(s?)://([^.]*)(.?)* [NC]
    RewriteRule ^/?wordpress/?(.*) http%1:// [NC,L,R=302]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /wordpress/index.php [NC,L]

    One other issue I wondered about is what "installation files" you are talking about. The installation files are located in the wp-admin directory, so if you are going to use this method you should only be protecting the wp-admin directory.

    The AskApache Password Protect plugin approaches security through .htaccess in a very different way.

    1. The wp-admin directory is protected with http basic authentication password protection
    2. The wp-includes and wp-content folders are protected by disallowing any direct requests for files other than the static files like images, css, js, etc.

    Here's the .htaccess used by the AskApache Password Protection plugin:

    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{THE_REQUEST} ^[A-Z]{3,9} /wp-(includes|content)/.*$ [NC]
    RewriteCond %{REQUEST_FILENAME} ^.+.php$
    RewriteRule .* - [F]

    I think I might just not be understanding this technique.. it seems to be completely worthless other than an acedemic discussion.

  • Matt

    Thank you for the extensive and helpful answer. I'll be switching over to the AskApache Password Protect. I hadn't realized that it also provided protection for the wp-includes and wp-content folders as well as the wp-admin folder. I also hadn't realized how easy it is to spoof headers and that the scrapers and bots are doing that automatically. Thanks again, I appreciate it.

  • AskApache

    @ Havard

    Really enjoyed your tutorial, reposted to your site.

    HTTP Basic authentication, which itself is not a security measure, and relies on a secure connection, such as TLS, to achieve secure authentication

    Yes that is the most common argument against it, though its really a non-issue for 99% of sites. For an attacker to bypass the HTTP authentication on a non-encrypted connection, they would literally have to have a physical connection to a network path between an authenticated user and the server. The only issue is that the password and username are passed in cleartext, but you would have to be able to sniff the data off the wire to bypass it. As you can imagine, most of the automated exploit tools and bots performing mass exploits against WordPress blogs and other online software do not have this capability, so they are stopped dead. For sites that I admin that require a bit more security, I completely agree with you that SSL is mandatory, which encryts the connection and thereby prevents an attacker with physical access who can sniff your connection from seeing the password pass in plaintext. That can be a very secure setup.

    Your logic and solutions to this problem are completely accurate and insightful, as you say here:

    If it is for a file or a directory, then Apache handles it (it falls through all the rewriting rules). This means that Apache will serve any file or directory as long as it can be read, which of course includes the WordPress installation files.... The desired situation is that people should only be able to read this files through “indirect” requests from your website, and not by accessing them directly.

    The problem is accomplishing that by using the HTTP_REFERER header is simply impossible and ineffective. And of course the biggest problem for most blog admins would be the overwhelmingly negative effects on SEO.

    Apache's mod_rewrite module only has 1 variable that can achieve your solution effectively, which is what the AskApache Password Protect plugin utilizes. Basically, the special variable THE_REQUEST contains the FULL HTTP request sent by the client, in fact, the internall operation of the server rely almost exclusively on this variable to determine the values of other variables, like the QUERY_STRING, PROTOCOL, REQUEST_METHOD, etc.. THE_REQUEST looks like this.

    GET /wordpress/wp-content/plugins/ HTTP/1.1

    The reason this plugin is so special is because this is the only time the request is unfiltered. Basically ONLY external requests like clicking on a link or typing a link in a browser will cause this value. Other than using the REDIRECT_STATUS variable for those using cgi, this is the only way to determine whether a request is direct or indirect.

    To take it further, I've removed directory index generation and using the DirectoryIndex command to point to a static file we can make sure that directories can't be browsed. I've also used the NS or nosubrequest flag to make sure internal uri requests by apache and other modules are able to pass through. I would encourage you to try accessing files at if you would like a demonstration.

    Options -Indexes
    DirectoryIndex /wordpress/index.php
    ErrorDocument 403 /forbidden.html
    RewriteEngine On
    RewriteBase /
    RewriteCond %{THE_REQUEST} ^[A-Z]{3,9} /wordpress/wp-(includes|admin|content)/?.* [NC]
    RewriteCond %{REQUEST_FILENAME} ^.+.php$ [NC]
    RewriteRule .* - [F, NS]

    I just noticed you wrote this a couple years ago, which is before I heard of this technique. This is just to add to your excellent article, as its a great idea and one of the better and easier ways to really increase your security. Subscribed!

  • Rob Chapman

    BTW- I'm running 2.3.2. on a hosted server.

    To clarify just a bit, when I attempt to log in to WP, I'm taken to my blog, but instead of getting the admin page, the sidebars display, but the following message pops up on top-

    "Sorry. The page you are looking for is not here."

    I'm actually logged into my blog ( I believe, as the META options displays a "Logout" button), but the admin, or edit functions won't display, only the "sorry your page is not here".

    I deleted the plugin altogether in My Computer, but still exactly the same issue.

    I'm a total loser with no life or contact with the outside world except the contact I have thru my crappy blog.

    Please help. I'm desperate. I may not survive much longer.

    Thank you-

  • Karimun

    Somebody asked this question already but I think it was not answered:

    the root file wp-login.php can be reached without any restrictions. Wouldn´t it be helpful to protect it too?

  • edelwater

    I noticed that I could not post via Windows LiveWriter anymore AND that my "inline tag thing" plugin wouldnt let me change tags via ajax. So I switched it off again, or is there some kind of workaround?

  • fenris

    thanks for the comment .. nice plugin .. hope other will enjoy using it too!!

  • Alex

    Many thanks for this. Have installed it, and will sleep better as a result!! Especially when on holiday!



  • Calderón

    Is the version 3.6.6 compatible with Wordpress 2.5.1? When I have actived the plugin, in options panel control this appears:

    "htaccess support not found"

  • David

    After getting hacked I thought this plugin was the answer to my prayers, but after installing it I was unable to login with the username/password I set up. After reading the comments here I tried what you suggested in commment #12, removing the bit added by the plugin to my htaccess file. Now I get 404 errors when I try to log in to wp-admin! Looks like other folks have had this problem but I've tried everything suggested here and nothing has worked! I'm unable to login. Does anyone have any suggestions? Is there any way to completely deactivate the plugin and undo all the changes it's made without logging in? Any help is appreciated.

  • Gustavo Leig

    I installed the plugin, Im getting the message "htaccess support not found", my server support htaccess, what is happening?

    please help and thanks for your work.


  • Roy

    I have used this plugin for almost a year. I noticed that it doesn't work sincd I downloaded the latest version (or since I installed Bad Behavior?) and now I also get the "htaccess support not found" error...

  • AskApache

    @ Roy and anyone else having problems

    Sounds like my fault :(

    I apologize for the trouble you are having, I'm still working on.. and making a lot of progress that will pay off in terms of security.

    It sounds like you need to disable the plugin, then manually (using ftp, control panel, ssh) delete the /wp-admin/.htaccess file and you could also remove any .htpasswd or .aahtpasswd files.

    Then clear your browsers cache, make sure you are the latest version, and if it still doesn't work then try to email me the error messages produced by php and your apache server, and if its ever worked in the past it will definately work with the next upgrade. In the meantime you can always go download an older release that has worked for you in the past, and use that for now. You just can't beat this plugins protection, and that is a fact jack.

    Sorry again for these issues,


  • Roy

    Just a short update in case other people are struggling as well.
    There is no htaccess in the wp-admin folder and sometimes (I haven't figured out when yet) there is no longer an Ask Apache part in the htaccess in the root AND I can't delete the password file in the root. What I managed to do it the following:
    If I clear the password file (delete the content) and delete the Ask Apache part from the htaccess in the root AFTER I deactivated and deleted the plugin, I can upload version 3.5.1, activate it and get it to work. That's the only version that I get running as of now, but at least, it's better than nothing! All other versions leave me with a password that is not accepted or doing nothing at all (not even a login screen).

  • Brad Isaac


    I am experimenting with your plugin today too. When I activate, the main .htaccess file is edited, but nothing is installed in wp-admin folder.

    Also, when I go to the options screen, nothing appears under the AA PassPro tab.

    Looks like it would be effective at holding off those xmlrpc hacks.


  • Alex Rodriguez

    I am using the latest version that was just released and when I click on AA PassPro under settings I get stuck on...

    "Test for .htaccess capabilitybad fsockopen"

    Any suggestions? I had been using previous versions successfully.


  • Stuart

    Hi, just a note to people actually using this with WP 2.5+, with regards to which modules to leave off:

    "Directory Protection Module" flat-out disables the /wp-admin/ address, which you need to login to your admin. I can't see how you would be able login to your own admin with this on (wp-login.php actually forwards to /wp-admin/).

    "Protect wp-content" breaks many plugins, especially AJAX-enabling plugins, which request php files from their own directories.

    "Common Exploits" denies access from the post editor to the media uploader. Which is to say, when you click "Add Image" you get 301 Forbidden.

    All other modules are OK to enable.

    To sum up, this is a fantastic plugin and a no-exceptions required install un any website I build, but I really have to scratch my head at the inclusion of some of these modules, especially as a newbie to WP will naturally assume enabling all modules is the best way to go.

  • AskApache

    @ Stuart

    Awesome! This is definately a challenge for me because its using the HTTP protocol via fsockopen to test the capabilities of the Server for which modules will work. One mistake and a whole blog or plugin goes down. Newbies won't know how powerful this stuff is, nobody does. Once it gets more stable I'll explain in more detail what is going on.

    For you newer users to Apache Modules and WordPress, just know that this plugin gives you incredibly easy access to take down your entire site. The reason is because this plugin modifies the Server Configuration File of the Computer running your WP Blog.

    The great news is that this plugin really only modifies 2 files on your entire site.
    /.htaccess and /wp-admin/.htaccess which makes it very simple quick and easy to start-over just by removing the code this plugin adds to those 2 files.

    Anyway Stuart thanks for that feedback I'm fixing them right now for 4.2.3

  • soyuz

    hi, i just download your plugin and try to install it into my WP 2.5.1. but no luck.

    at first, it said that my wordpress folder, wp-admin folder, wp-content folder need to be writable. but all the three folders are 755. andd it said we shouldn't chmod 777 to our folders, but after i changed to 777 then i passed the Test for read/write permissions.

    but i have this error:
    Error Creating test pages for HTTP Authentication Enabled Test files!

    my webhost is apache and support htaccess.

    if you have the solutions that would be great.

    thanks in advance.

  • Mark

    Needs more info on what to do when the install f#*ks up your blog.

    I installed it correctly , then I couldn't get back into my blog. Kept getting a internal server error.

    SO I deleted the htaccess file and deactivated the plugin.

    It's a shame, this could have been a useful plugin.

  • Tom Johnson

    I appreciate your work on this plugin, but it's not working for me and at this point, I'd just like to uninstall it. I can't access my admin panel at all now. When I go to my login page, it shows an error.

    I tried downloading both my .htaccess files -- both at the site and root levels -- but they aren't modified at all. I thought there'd be some Ask Apache Plugin code rules to delete, but there aren't.

    I tried deleting the plugin itself. Both of these attempts don't uninstall the plugin, and I'm totally locked out of my WordPress admin panel. I'd really appreciate your help. How do I uninstall this plugin manually? Thanks,


  • Tom Johnson

    Just added a cautionary note to the promotion of this plugin on the Hardening WordPress codex page. My caution is as follows:

    Caution: Installing the AskApache Password Protection plugin may lock you out of your WordPress Admin panel and return an error 500 when you attempt to go to You might try installing the plugin on a test site first, as your server or other configurations may cause issues. Uninstalling the plugin is also difficult (simply deleting it through FTP doesn't deactivate it). See the comments under the author's plugin home page to read other users' experiences with this plugin.

    I wouldn't have written this caution if I weren't frustrated at being totally locked out of my site with no clear instructions on how to remove this plugin's work.

  • Tom Johnson

    I didn't realize there was a new .htaccess file inside the wp-admin folder. When I removed that, I could then log back in and deactivate and then delete the plugin. I had been playing around with the wrong .htaccess files.

  • Nicole

    Just installed the plugin on my latest version newly reinstalled (after being hacked) blog and when trying to access it for the first time it starts with failed: the root directory, wp-admin and wp-content need to be writable by php. So I go and change permissions from 755 to 766 and refresh the page, but then it gives me "forbidden". Change everything back to 755 and I'm back to the one telling me to make them writable.
    There is no .htaccess file to be found anywhere (and show hidden files is turned on in filezilla). How do I fix this?

  • Asatru

    I fixed the 500 Server Error on my WP 2.5.1 Blog.

    Delete following Code in the generated htaccess file:

    SecFilterEngine Off

  • Will O’Hageman

    Just activated askapache password protect, and on the first page everything passes but Plain Encryption capability, which failed. What should I do?

  • AskApache

    @ Will O'Hageman

    Thats normal, most servers will fail for the plain encryption test, as its really not encrypted at all and is only there for servers not supporting basic htaccess authentication.

    I'll improve the documentation *like your blog suggests plugin authors do* for the next release :)

  • Alex


    First of all, thank you for this plugin. My question is: are you planning to release a new version in the near feature with any major fixes and or improvements? Is it compatible with WP 2.6?


  • kabonfootprint

    Awesome plugin

  • Emerson

    To the plugin developer:
    Thanks for this, great plugin however when I have install this plugin using Godaddy Economy/Free hosting account. I cannot login in wp-admin panel even though I got the correct access info.
    Is this something to do with the Godaddy free hosting account? I know that with this type of hosting, I cannot make a folder above the root/ public html folder, so this means that when Apache password protect plugin create an .htpasswd which should be placed not in a public html folder, it cannot do so because of Godaddy free hosting account restriction.
    Is this the correct cause why I cannot login? Many thanks.


  • Alexpts

    How protect file wp-login.php People keep trying to hack my wp-login.php?

  • Michael

    After copying of the last AA PassPro Version to my plugin Directory (wp262) and the plugin activation, I got the message that there is a new version of the plugin.
    Unfortunately the online update was not successful!
    When I try to access my plugin admin page now I get this message:
    Error 500 - Internal server error
    Ein interner Fehler ist aufgetreten! Bitte versuchen Sie es zu einem späteren Zeitpunkt.
    What can I do?
    Deleting of the AA PassPro has no effect, the same if I copy the directory a second time to the webserver.
    What can I do? Any Idea?
    Thanks, Michael

  • Mike

    Hi there, what a great plugin. One problem. I set it up as per instructions. When i went to activate the various areas, it gave me a 404 page each time bar the initial activate htaccess. Now I cant access any section of my site admin at all even when i input my passwords. I deleted the plugin and htaccess files but still have no access. What can I do??

  • Martin Marinov

    Very nice plugin but I have one problem with it. I turned on one function for admin panel and now I can`t log into it. It shows me 500 Internet Server Error. What I should do?

  • Tracey

    Great plugin. Does it work with Wordpress 2.71?


  • Riz

    damn, u removed the music player :P
    u knw i bookmarked this site just to listen to one song u had in there.... now i can't anymore :'(

  • Steven

    I activated this one:

    Denies Requests containing ../ or ./. which is a directory traversal exploit attempt..

    And now I am locked out of my website (so is everyone else)! How do I fix this?

  • Norhafidz

    Thanks for this plugin. Now I can rest a lot without worrying about my blog's security :)

  • Perfu

    Useful plugin thank you.

  • Raghu

    Great plugin for sure...


  • manasi

    Hey guys need some help here. I noticed several things after I upgraded to 2.8.2. first thing I noticed is that for some reason I could access my wp-admin page without getting a login page. Suspecting something amiss I clear cache rebooted and tried again I could still access the site Not good and not normal. So, I enabled the two options within AAPP that I had not before: protect wp-admin and protect wp-login. However, now even I cannot get into my admin page. There was no prompt to create a user, and when I try to get in I get 401 ( forbidden) which is the action it is supposed to do. how do I disable (temporarily) the security that blocks even me?

  • Cauchy

    I tried installing the version available from the site today. It ran the tests and said everything was fine. I enabled protection for wp-admin and now I cannot access my wp-admin area at all. There was nothing in the .htaccess file and I removed the the .htaccess file in wp-admin after removing the plugin via FTP. Is there anyway I can regain access? I also did not see a .htpasswd file anywhere in my directories. Thanks.

  • Patrick

    How exactly am i supposed to configure my file/folder permissions in order to get this plugin to initialize correctly? I keep getting the following file permissions error; "/wp-admin/.htaccess file writable". The installation instructions are a bit lite.

  • Patrick

    I got this to install. It seemed to require that the .htaccess and .htpasswd files currently exist in the protected folder(s); wp-admin (I think).

    After initial configuration I ran into another problem with the following SID modules: SPECIFIC CHARACTERS and Directory Traversal. They broke my site.

    Would be nice if the Manage Security Module GUI listed which SID items in the .htaccess were related to what SID Module. That way when I my site breaks and i have to manually edit the .htaccess it is a little bit easier to know what lines to remove.

  • Patrick

    I also ran into the problem where I was locked out of my wp-admin site. Other than that this plug-in seems very useful. I was able to fix the wp-admin login issue by deleting/renaming the .htaccess file in the wp-admin directory. The author appears to be working on an update. Hopefully this will fix that.

  • Daniel Pipitone

    OK, I am having an issue. I just installed this running the latest version of WP (2.8.5) and activated the first two authentication options for the login area. Now I cannot get to the login and get a "nothing found at..."

    Anyone help?

  • Gabstero

    Hi All -

    Tried to install the plugin (via the plugin install from the dashboard) on a WP 2.8.5. The plugin does not add the .htaccess files - had to add them manually and also for some mysterious reason I am getting these php errors on the AA Pass Pro settings page:

    Warning: array_merge() [function.array-merge]: Argument #1 is not an array in wp-content/plugins/askapache-password-protect/askapache-password-protect.php on line 1316
    Warning: join() [function.join]: Invalid arguments passed in wp-content/plugins/askapache-password-protect/askapache-password-protect.php on line 1319

    All the squares are green except the "Test folder writable" that is red.

    Any help very useful!


  • Ronald

    I've Wordpress installed in a subdir. (/web) and your plugin fails to find the .htaccess-file's (/web/.htaccess).
    How can I correct this?

  • Gautam


    I have am gettng one url like i want to remove

    Can anyone say what to do in .htaccess file


  • Önder ÖZCAN

    I just installed this plugin and my wp-admin occurs 403 forbidden error. Can anyone tell me how to i remove this crappy pluging without accessing admin panel ?

  • Maan jony

    I have also 500 internal server error .
    to remove it is very easy and after you log on your admin and uninstall this plugin.
    first log on your ftp and in wp-admin .
    .htaccess open in editor and remove the coding of this plugins which is following such like that

    #               __                          __
    #   ____ ______/ /______ _____  ____ ______/ /_  ___
    #  / __ `/ ___/ //_/ __ `/ __ / __ `/ ___/ __ / _
    # / /_/ (__  ) ,< / /_/ / /_/ / /_/ / /__/ / / /  __/
    # __,_/____/_/|_|__,_/ .___/__,_/___/_/ /_/___/
    #                     /_/
    # - - - - - - - - - - - - - - - - - - - - - - - - - - -
    # +APRO SIDS
    # +SID 20030001
    Satisfy Any
    AuthType Digest
    AuthName "Protected By AskApache"
    AuthDigestDomain /
    AuthDigestFile /web/studysol/public_html/.htpasswda3
    Require valid-user
    # -SID 20030001
    # -APRO SIDS
    # - - - - - - - - - - - - - - - - - - - - - - - - - - -
    #               __                          __
    #   ____ ______/ /______ _____  ____ ______/ /_  ___
    #  / __ `/ ___/ //_/ __ `/ __ / __ `/ ___/ __ / _
    # / /_/ (__  ) ,< / /_/ / /_/ / /_/ / /__/ / / /  __/
    # __,_/____/_/|_|__,_/ .___/__,_/___/_/ /_/___/
    #                     /_/
    # BEGIN WordPress
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    Clear your cache and browsing history cookies also.
    delete the .htpasswd3 and plugins from plugins folder it depend on you and thats it .you remove it easily .
    if there is any other PM me .
    thanks good plugins but require a lot of work on it .

  • Saerin

    Hi! Okay, I admit I'm clueless about anything related to setting up a page. I searched for a password plugin and downloaded yours. I clicked around and must have done something dramatically wrong because now, I can't access my website at all. Whatever I click or type in, I get the following message to contact the webmaster but I am the webmaster! So what do I do? How can I fix it? I'd really appreciate your help. Please email me.

    Thank you so much!

    Internal Server Error

    The server encountered an internal error or misconfiguration and was unable to complete your request.

    Please contact the server administrator, and inform them of the time the error occurred, and anything you might have done that may have caused the error.

    More information about this error may be available in the server error log.

    Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

  • Steve

    Take a look at for a truly effective password site, I found it last year and works great for me.


  • gopalb123

    Hi,Maan jony ~

    I have also "500 internal server error" after activate askapache plugin and try to rectify but I could not do that. I'm follow your instruction....
    to remove it is very easy and after you log on your admin and uninstall this plugin.
    first log on your ftp and in wp-admin .
    I could not find .htaccess file in my server.....please help me.

  • Edp

    Seriously. There needs to be a FAQ on how to completely undo everything this plugin does. I have two wordpress sites and only installed it on one. Now I can't get into the admin area of either and I deleted the .htaccess and aapasswd files, deleted the plugins, edited the db and still can't get into either site now.

    Really. Need. A. Writeup.

  • sino

    I can not go to the admin panel

    Internal Server Error
    The server encountered an internal error or misconfiguration and was unable to complete your request.
    Please contact the server administrator, and inform them of the time the error occurred, and anything you might have done that may have caused the error.
    More information about this error may be available in the server error log.
    Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

    Please Help me :( !

  • Harry

    I’ve created a small script which helps people without a fixed IP to get all network ranges of their provider. The output can be directly added to the .htaccess file. I don't know if it works for all providers, for my providers it does.

    The output of the perl script looks like:

    allow from XXX.X.XXX.0/24
    allow from XXX.X.XXX.0/24

    The script and some more explanation is available here.

    It’s only needed to replace the netname within the script. On the page it described how to find out the dial-in netname from your provider.

    I hope it’s useful.

    Greetings from Germany,

  • Chefstomaten


    Where is the short and clear instruction how to get rid of the plug-in? That is what I am missing from the FAQ. I installed it after reading a recommendation from a source I trust. I wish I hadn't. I can't update any plug-in nor wordpress. So I really need to get rid of this plug-in. I've googled a bit and found a lot of people looking for this informations so I really suggest that you add it to the FAQ.


  • Chris


    If you forget your AskApache user name and password, how do you trigger the email reminder?



  • GoodStuff

    I'm constantly getting an error to make the .htpasswda3 and .htaccess files readable/writable and I've got them wide open. Still the plugin persists with the errors. I've also played around with changing their ownership and groups and no combination works.

    AskApache, can you please tell me what the problem is? Does the plug-in work?


  • sarjad

    hey.. i got some problem.
    when i try to use mozilla firefox to browse my admin panel, the pages come out is 404.html
    but when i use google chrome, it's normally prompt me to input the login id and password for htaccess.
    can you tell how it can be? since, mostly my addon on firefox will be very usefull for my blogging tools, i need to use firefox indeed.
    i'm waiting your support.
    thanks :D

  • sarjad

    well.. seems i know what my problem is exactly.
    my session timeout was too short.
    after i passed the timeout margin, i can't access my wp-admin anymore for a several time.
    how can i fix this? i mean i want to expand my timeout margin.
    thank you :D

  • Mark


    Does 'HTTP Digest Authentication' a must have on the server to install the plugin?


  • Ron

    Any idea why the plugin does not allow to install / update plugins.
    Always have the same error can not create folder in wp-content/upgrade .......
    If I run a test (your plugin) the test folder is created, so that is not the problem??
    I only have these 2 to set on active and all other are deactive

    Directory Protection
    none   core   root   Deactivate
    Stop Hotlinking
    403 Forbidden   mod_rewrite   root   Deactivate

    Manual installing and upgrade (FTP) is no problem.

    Thanks and regards, Ron

  • Nancy


    I installed the plugin and followed the directions but during the setup things began to get a little weird. When I hit activate on some of the options I was sent to a 404. I decided to remove the plugin and I deleted the Apache part in the two files as you directed and then I deleted the plugin. However, now, my wordpress dashboard is totally weird. How can I restore the look of the dashboard? I'm on Dreamhost.

  • Ranga

    Thanks for the plugin........

  • Szigeti

    Thx. I was looking for one a long time.

  • avi

    thanks for this plugin . you know i was very sad bcz hacker always hacked my site. but now i am going to use this plug in. thanx for plugin developer.

  • http://URL Christopher Skyi

    I think the plug-in's a fail, unfortunately, at least for me. It's installed correctly (all the tests it passed, it created the two .htaccess files, I create a login and passwords and . . . zip, nada, nothing happens. I can log into my WP with my WP login/password -- no extra protection. I can ftp into the the wp-admin, easy as pie.

    Unless I'm missing something, this plug-in does nothing I can detect . . .

  • http://URL Doezer

    It's a shame that that plug-in doesn't work anymore.

  • Patrick

    I quite like reading a post that will make men and women think.
    Also, many thanks for allowing me to comment!

  • Shana

    WOW just what I was looking for. Came here searching for password hacker

  • Holt Johnson

    Great aticle.

  • Holt Johnson

    Great aticle.

  • Le Da Hac

    Hi,I just installed the plug-in and asked for support on Wordpress forum but got no answer. Hope you can help me. The plug-in works well but now everyone visits my site is asked for username and password. How to fix it? Please help!

  • Quang Bui

    Thx. I was looking for one a long time.

Related Articles

My Online Tools
Popular Articles

Hacking and Hackers

The use of "hacker" to mean "security breaker" is a confusion on the part of the mass media. We hackers refuse to recognize that meaning, and continue using the word to mean someone who loves to program, someone who enjoys playful cleverness, or the combination of the two. See my article, On Hacking.
-- Richard M. Stallman


It's very simple - you read the protocol and write the code. -Bill Joy

Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 License, just credit with a link.
This site is not supported or endorsed by The Apache Software Foundation (ASF). All software and documentation produced by The ASF is licensed. "Apache" is a trademark of The ASF. NCSA HTTPd.
UNIX ® is a registered Trademark of The Open Group. POSIX ® is a registered Trademark of The IEEE.

+Askapache | askapache

Site Map | Contact Webmaster | License and Disclaimer | Terms of Service

↑ TOPMain