Protect your administrator back-end with a password


This feature uses .htaccess files which are only compatible with Apache, Litespeed and a very few other web servers. Some servers (such as NginX and IIS) are incompatible with .htaccess files. If we detect a known to be incompatible server type this feature will not be shown at all in Admin Tools' interface. It should be noted that even if you do see it in the interface it doesn't necessarily means that it will work on your server. This depends on your server's capabilities. If you are unsure or believe it doesn't work please consult your host.

The Password-protect Administrator tool of Admin Tools is designed to add an extra level of protection to your site's administrator back-end, asking for a username and password before accessing the administrator login page or any other file inside the administrator directory of your site. It does so by using Apache .htaccess and .htpasswd files, so it won't work on IIS hosts.


Some prepackaged server bundles, such as Zend Server CE, and some live hosts do not allow using .htaccess files to password-protect a directory. If it is a local server, edit your httpd.conf file (for Zend Server CE this is located in C:\Program Files\Zend\Apache2\conf or C:\Program Files (x86)\Zend\Apache2\conf) and modify all AllowOverride lines to read:

AllowOverride All

If you are on a live host, please consult your host about the possibility of them allowing you to use this feature on your site.

Password-protect Administrator

If you are on a server running on Windows™, you are receiving a warning at the top of the page stating that the password will be stored to disk unencrypted. This is done due to the lack of the system-wide crypt function on the Windows platform, which causes Apache to understand password only if they are unencrypted or encrypted with a non-standard encryption scheme which does not exist in PHP.


If you password your administrator directory on a Linux system and then restore your site on a Windows server (typical live to local site restoration) you will be receiving a blank page or an Internal Server 500 when accessing the site. This is normal and expected. All you have to do is to remove the .htaccess and .htpasswd files from your administrator directory after restoring the site.

In order to apply the password protection, simply enter a desired username and password and click on the Password-protect button. After a few seconds your browser will ask you to supply the username and password you just specified. This will also happen each and every time anybody tries to access the administrator back-end of your site. In other words, you have to share the username and password with all back-end users of your site.

If you wish to remove the password protection you can either remove both the .htaccess and .htpasswd files from your administrator directory, or click on the Remove Password Protection button.

Cookies Notification - Action required

This website uses cookies to provide user authentication and improve your user experience. Please indicate whether you consent to our site placing these cookies on your device. You can change your preference later, from the controls which will be made available to you at the bottom of every page of our site.