How to Implement Apache Basic Auth for a Specific URL Path (/en) in WordPress Without Physical Directory


2 views

When working with WordPress sites, the standard .htaccess approach for directory-based Basic Auth doesn't work because WordPress handles all URLs through its rewrite engine. The common solution of creating a physical /en directory would break WordPress routing since these requests wouldn't go through index.php.

You have two effective approaches to protect your /en path:

Option 1: .htaccess Condition Matching

Add these rules to your root .htaccess file, above the WordPress rules:


<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_URI} ^/en(/|$) [NC]
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
</IfModule>

<LocationMatch "^/en(/.*)?$">
    AuthType Basic
    AuthName "Restricted Area"
    AuthUserFile /path/to/.htpasswd
    Require valid-user
</LocationMatch>

Option 2: Environment Variable Approach

For shared hosting where LocationMatch might be restricted:


SetEnvIf Request_URI "^/en(/.*)?$" REQUIRE_AUTH
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /path/to/.htpasswd
Require valid-user
Satisfy any
Order allow,deny
Allow from all
Deny from env=REQUIRE_AUTH

Generate your .htpasswd file using htpasswd utility:


htpasswd -c /path/to/.htpasswd username

After implementation, test these scenarios:

  • Accessing /en without credentials
  • Accessing /en with valid credentials
  • Accessing other paths (should work normally)
  • Verify WordPress admin area remains accessible

The LocationMatch method has slightly better performance than SetEnvIf for high-traffic sites, as environment variables require additional processing for each request.

When working with WordPress sites that use rewrite rules, traditional directory-based authentication methods fail because:

  • WordPress handles all requests through index.php
  • Physical directories would bypass WordPress routing
  • .htaccess location blocks don't work in directory context

Add these directives to your root .htaccess file, above the WordPress rules:


# Password protection for /en
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_URI} ^/en(/|$) [NC]
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
</IfModule>

<LocationMatch "^/en(/.*)?$">
    AuthType Basic
    AuthName "Restricted Area"
    AuthUserFile /path/to/.htpasswd
    Require valid-user
</LocationMatch>

Key components explained:


# 1. LocationMatch handles regex pattern for /en with optional trailing slash
# 2. RewriteCond captures /en requests while preserving auth headers
# 3. AuthUserFile should point to your password file (create with htpasswd)

Run this command on your server:


htpasswd -c /path/to/.htpasswd username

Verify your setup with these checks:

  1. Access domain.com/en - should prompt for credentials
  2. Access other URLs - should work normally
  3. Check server error logs if you get 500 errors

If you see 500 Internal Server Error:


# Try replacing LocationMatch with FilesMatch for some Apache versions:
<FilesMatch "^/en(/.*)?$">
    # Same auth directives
</FilesMatch>

If authentication dialog doesn't appear:


# Ensure the directives are placed BEFORE WordPress rules
# Clear browser cache (auth headers are cached aggressively)