What Are .htaccess and .htpasswd Files?
Your WordPress website runs on more than just themes and plugins, it’s powered by a network of hidden server configuration files. Two of the most sensitive files on any Linux-based web server are:
- .htaccess — Controls redirects, security rules, caching, and access settings.
- .htpasswd — Stores encrypted usernames and passwords (used for directory protection).
These files are not meant to be publicly accessed, but if improperly configured, hackers can view, download, or manipulate them to:
- Discover server rules.
- Bypass security protections.
- Hijack login credentials.
- Gain full control of your website.
Why You Must Protect These Files
If your .htaccess or .htpasswd file becomes accessible to the public, here’s what can happen:
|
Risk |
Impact |
|
.htaccess exposed |
Attackers learn how your site handles redirects and security rules. |
|
.htpasswd exposed |
Encrypted login credentials can be cracked and reused. |
|
File tampering |
Hackers insert redirects, backdoors, or malicious scripts. |
|
Full site compromise |
A single overwritten rule could block your site or allow access to everything. |
These files don’t need to be visible to any visitor, including Google, only the server should read them. With WordPress Manager by Softaculous, you can block these files from public access in one click, without editing any code or dealing with file permissions.
Here’s how to block .htaccess & .htpasswd using WordPress manager:
STEP 1: Log in to your cPanel.
There are three methods to log into your cPanel.
- Method 1: Log in to your cPanel directly.
- Method 2: Log in to your cPanel through your Customer Portal.
Through your Customer Portal;
- Log in to your Customer Portal.
- Click on "Log in to cPanel".
- Method 3: Log in using the details sent to your Email.
Through your Email;
- When you purchase a hosting plan, your cPanel login details (including username, password, and cPanel URL) are automatically sent to your registered email address. Simply check your inbox (or spam folder), locate the email, and use the provided credentials to access your cPanel.
STEP 2: Locate the Software section and click on Softaculous Apps Installer.
STEP 3: Click the box for Installations.
An alternative is to select the “All Installations” icon from the menu in the upper-right corner.
STEP 4: Click the WordPress icon next to the installation you want to manage.
STEP 5: In WordPress Manager, select the website you want to secure.
STEP 6: Scroll to the Security Measures section.
STEP 7: Checkmark the box for “Block access to .htaccess and .htpasswd”, and click Apply.
WordPress Manager will add security rules to make sure:
- These files are not publicly accessible.
- Your server can still use them behind the scenes.
- You don’t need to install a plugin or write custom code.
NOTE:
- This setting does not delete or disable .htaccess or .htpasswd.
- You can still edit them via cPanel or FTP if needed.
- Your website's redirects, permalinks, and security rules will continue to work normally.
- You can reverse this change anytime in WordPress Manager.
Frequently Asked Questions (FAQ)
Q: Do all WordPress sites use .htpasswd?
Not all. .htpasswd is typically used when protecting specific folders (like staging sites) with extra login prompts. Even if you’re not using it now, it’s smart to block access in case it’s created later.
Q: Will blocking these files affect my SEO?
Not at all. These are backend files, search engines don’t need access to them.
Q: What if I’ve already edited my .htaccess manually?
WordPress Manager’s security rule is added safely without overwriting your custom settings. Still, it’s good practice to back up your .htaccess if you've made manual changes.
If you need help, kindly contact LyteHosting support.
