Problem with Password Protected Site

Hi. I used the “htaccess/webDAV” feature under “goodies” in the dreamhost panel to crate a password for one of my websites hosted by Dreamhost. I enabled the entire directory, which as far as I can tell protects the entire domain.

The problem is is this…after entering the password and going to the site, only the homepage works. Every link on the homepage takes me to a “404 Not Found error” page. I can’t get to any of the pages within the domain. I can’t figure out what the problem is…can anyone please help me? Thanks…

It would help a lot if you shared the url for your site so we could look at what links are being passed when the 404 is returned.

If your site was using Apache rewrite rules (as does WordPress, Joomla!, and many other CMS/Site management programs), it is possible using the panel to add the necessary stuff to your .htaccess either overwrote or displaced those rules.


Hi, riparker. Thanks for responding. The site isn’t ready to be viewed…which is why I have the password protection on it. But you’re exactly right on the money…the site was created with WordPress. Is there a fix you can explain to me (if you’re willing, of course) without going to the site, or do you need access to it? Thanks again, I appreciate it.

I suspect the problem is with your .htaccess file. Can you post your .htaccess file, obfuscating your domain name by just using “domainname.tld” in the place of your domain name wherever it appears?

Also, please tell us what directory your WordPress is installed within ( /home/username/domainname.tld or /home/username/domainname.tld/wp , etc.) and I suspect someone here can help you with it.

Alternately, you could send me the url via PM if you don’t want to make it public but would like me to look at it (though you might get better help if you shared the url in the forum as you get the benefit of more users’ expertise :wink: .)


Sure, rlparker, I’d be glad to. Here’s my .htaccess file:

AuthType Basic
AuthUserFile /home/domainname/www.domainname.tld/.htpasswd
AuthName "domainname"
require valid-user

And WordPress is installed within the following directory:

root/www.domainname.tld/wp-admin, etc.

Is that enough information? Thanks again so much for your help. It’s greatly appreciated…

Some people advise putting the .htpasswd file in a directory that isn’t web accessible. From the looks of your AuthUserFile, you might consider moving it up a directory. Here’s more detail from the DH wiki:

It also looks to me like this overwrote the WP .htaccess file because there is no mention of “RewriteEngine” or “RewriteBase”. This link might be helpful:

Ok, I think it is clear what has happened, and it is easy enough to fix. Also, to clarify, WordPress is installed in your “home” or “base” directory (yourdomain.tld). The wp-admin, and other directories are part of WordPress, and they normally reside a directory level below the main WordPress installation.

Using the control panel overwrote your existing .htaccess (the one in which WordPress had its Apache re-write rules) with the one you presented in your post.

What needed to happen, was for it to add the authentication stuff to the existing file. Stuff like this (and pangea33’s observation about the location of your .htpasswd file) is why many elect to construct their own authentication lines in the .htaccess file, rather than letting the Control Panel do it for you.

That said, here is how I recommend you proceed:

  1. download a copy of your existing .htaccess file (the one you included in your post, and rename it to something on your computer.

  2. Use the Dreamhost “automated backup” .snapshot directory to find a copy of the .htaccess files that worked properly for your WordPress installation before you password protected the directory, and download it to your computer.

  3. Combine the contents of these two files into one new .htaccess file, with the contents of the file in step 1 inserted into the file before the contents of the file in step 2 (use a text editor - either retype or cut’n’paste)

  4. Upload this “new” combined .htaccess file to your home directory, overwriting the one that is there now.

  5. Clear you browser’s cache, and test.

note: Of course, if you are comfortable editing from the shell, you can do all of this there - just combine the contents of the two files into a single .htaccess file, with the respective contents in the described order.

If you did it correctly, you are done! The new .htaccess file will provide the password protection you want, and your Apache re-write rules will have been restored so that your permalinks will now work. Good Luck!


No offense meant by the minor hijack attempt, rlparker. You obviously had this one covered, just wanted to offer something while dude was waiting.

Ha ha! No offense taken, and your post was not a hijack at all - you made a good point about “hardening” the .htpasswd file by moving it outside the web accessible path (which I always do myself!).

I suspect the Panel does it this way so it doesn’t continually overwrite files in the user directory - otherwise they would have to code a test for existence, then do some renaming, etc. to make sure that multiple domains being protected within a user’s space don’t “bork” each other.

Doing it by hand is “way mo’ better”, IMHO :slight_smile:


Wow, thank you, both rlparker and pangea33, for these awesome responses. I’m new to both Dreamhost and WordPress, and your incredible feedback and friendly demeanor are extremely appreciated. I’ll try your suggestions and hopefully get back on-track. Thanks again…

Thanks again, rlparker…this worked perfectly!

You are welcome! I’m happy to hear that you got everything sorted :slight_smile:


I know this is old, but wonder if rlparker is still around or someone else who can help with something slightly different.

My install of WordPress is in a subdirectory:

I have just a basic page at the, with a login link to the pages contained within the secure folder.
Everything at the “secure” folder level and below is secured using the .htaccess created through the cpanel, contents of which are basically:

authtype basic
authgroupfile /dev/null
authuserfile /home/content/37/9203737/htconfig/.htpassword.ghtpassword
authname "Secure Area"
require user ME Someone_else

this file is located inside the secure folder.

All links work fine on the pages below the main page, except the one to my WordPress stuff. If I click the link to that it asks me (using the same request box as at the higher level) to enter my credentials, which were already entered to get access to this portion.
I’m guessing the .htaccess file in the WordPress folder is not having the authorization passed to it from the earlier login, and it is treating the link to the blog as if it is coming into the site from outside of the logged in portion. The contents of this .htaccess file is:

BEGIN WordPress

RewriteEngine On RewriteBase /MW_files/secure/blog/wordpress/ RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /MW_files/secure/blog/wordpress/index.php [L]

END WordPress

Is there a way I will not need to enter the same information again to access the blog section??

Two quick WordPress-specific ideas about this…

  1. There is a WordPress plug-in that enables extra levels of privacy:
    Easy to turn on and off, set for different blogs in a multi-site environment.

  2. Anytime you manually add anything to the htaccess of your WordPress site, and sometimes after an upgrade, if you are using any of the “pretty permalinks” URL re-writes, you need to go into Settings > Permalinks and just re-save your settings.

It will clear the re-write cache. Otherwise, you may very well end up with all of your pages resulting in 404s.
It’s a WP quirk.

oops didn’t notice this is a two page old thread… well, may this info is helpful to someone.

To the poster above. Have you tried adding:
authtype basic
authgroupfile /dev/null
authuserfile /home/content/37/9203737/htconfig/.htpassword.ghtpassword
authname "Secure Area"
require user ME Someone_else

to WP’s htaccess page? Just add it before:

BEGIN WordPress

I have, I still get the same prompt to re-enter the same username and password.