How to disable public access to your WordPress.
WordPress, both the site and it’s back end (or admin area) are both accessed via a web browser. Consequently they’re both publicly available, as are the pages you use to complete the installation process. This means anyone in the world can access the site, the admin area login page, or the pages used as part of the installation process.
There may come a time where you want to disable public access to site. An example of this might be if you’re part way through installing WordPress and suddenly have to go and do something else, or if you haven’t yet secured your WordPress installation.
This article covers how to disable all public access to your WordPress installation.
The .htaccess file.
The .htaccess file exists in your hosting account at file level. It’s usually held in the document root of your domain (where all your site files exist).
The .htaccess file is always checked by the web server before serving your site.
The .htaccess file can be used to specify conditions that the web server will adhere to.
In this case, we’re going to use the .htaccess file to set a condition that stops the web server from serving your site, or the wordpress installation page (depending on where you are in the site creation process). We’re going to tell it to not serve anything. This will disable public access to your WordPress based site as a whole.
If you’re interested in the .htaccess file, what it does and how it’s used you can find Apache’s own documentation covering this here. Do bear in mind this will mention a lot of server side aspects that you won’t have access to when using shared hosting. You could get your own server if this is something you’re interested in.
Dot files (files that start with a dot).
In a Linux environment (which is what most webservers use as the underlying operating system) files starting with a full stop are hidden by default. Sometimes you’ll have to turn on “show hidden files” to be able to see them.
That’s what we’re going to cover first: How to turn on show hidden files.
You’ll do this using the cPanel file manager, so log in to your cPanel, then in the “Search tools” box at the top, type file manager, then click on “File manager” in the list below, like this:
The cPanel file manager will then open, in the top right hand corner, there’s a button labelled “Settings”, click on that, then tick “Show Hidden Files (dotfiles)”, then click save, like this:
Restricting access using the .htaccess file
Now we’re able to see dotfiles, we’re going to edit the .htaccess file and add a line to it that tells the web server to not serve any aspects of your site (this covers everything, the site, the WordPress back end, any installation pages should you be part way through the installation and so on). Don’t serve anything!
At this point what you see in your file manager will vary depending on what you’ve done so far, so the screen shots won’t exactly match.
Also, the .htaccess file needs to be in the “document root” of the domain in your cPanel account. The document root is the file location where the domain is mapped to on the server. By default, if you’re using cPanel and have a “one domain only” type hosting account the document root of your domain will be the “public_html” directory. This is what this guide covers. If you’re using a multisite type hosting account and have multiple domains mapped to it, you can see the document root that domains are mapped to in the domain’s section of your cPanel.
This guide is based on one domain being mapped to public_html, for simplicity’s sake.
Open the cPanel file manager, just like you did above, then click on the public_html folder on the left hand side. In the main portion of screen locate the .htaccess file, then right click on it, then select “edit”, like this:
This will open the .htaccess file manager in cPanel’s file editor. If you’ve already installed WordPress there will most likely be a load of directives in this file. Don’t worry about them. They serve a purpose, so leave them be. All you need to do is write this:
deny from all
At the very top of the .htacces file, then save. Like this:
After saving this change if you browse to your site, you’ll now see a forbidden message. That’s what the deny from all rule does, it deny’s access to your site. Like this:
Why would you want to do this?
- To stop people accessing your site when it’s not been secured.
- To prevent an incomplete wordpress installation being taken over.
- To stop crawlers or robots reading your site while it’s still being made.
There are numerous reasons why you might want to “turn your site off” and this is a quick, easy and concise way of doing so.
Making your wordpress accessible again.
After carrying out the above, at some point, you’ll need to start working on your site in WordPress again. To be able to do this, you’re going to need to make your wordpress accessible again.
It’s quite straight forward, you just remove this line:
deny from all
From the .htaccess file, then save your change.
Log in to your cPane, then access the file manager:
Then browse to the public_html folder, and edit the .htaccess file:
Then delete this line:
deny from all
Then click “Save Changes”.
You’ve just learnt how to disable access to your WordPress site. This method can be used with any site that’s being run on Apache (or equivalent) based web hosting.
- The .htaccess file can be used to disable public access to your WordPress.
- Dotfiles are hidden by default, you might need to enable hidden files (dotfiles) to be able to see the .htaccess file.
- The deny from all directive is what disables public access to your WordPress site.
- You might need to disable public access to your WordPress if you’ve installed WordPress but don’t have time to secure it.