Block/Unblock Traffic to a Website

It’s common to want to block traffic to a website, or to only want a few select people to be able to view a site, especially during times like development. You can enable WP Engine’s “password protection” for any environment, allowing your team to develop and review your site before going live.

This feature uses basic access authentication (or “basic auth”) which simply requires a username and a password. The message and styling of the authentication fields may vary by browser, but typically appears as a login pop-up prompt when viewing any page on your website.


Block/Unblock Traffic

Also known as “password protecting” a website, blocking and unblocking traffic will be enabled through a toggle in the User Portal.

  1. Log in to the User Portal
  2. Click on the environment name you wish to enable password protection on
  3. Click Utilities
  4. Locate the section Block traffic/unblock
  5. Click the toggle for the environment you’d like to protect

NOTE: “legacy staging” here refers to legacy 1-click staging and not the same Staging environment you may normally see within your User Portal

After saving, additional fields for username and password will appear. Use these credentials to view to your site.

As it is enabled at a server level, password protection does not interact with your actual WordPress admin login credentials.

Once you’ve entered the password protection credentials, you will still need to log in to the WordPress admin dashboard separately.


Update Password for Password Protection

  1. Log in to the User Portal
  2. Click on the environment name you wish to change the password protection on
  3. Click Utilities
  4. Locate the section called Block traffic/unblock
  5. Click the pencil icon next to the password
  6. Update your password
  7. Click Save

NOTE: Usernames cannot be changed.


Unblock Traffic

Traffic can be unblocked in a similar way to blocking it, by disabling password protection through the User Portal. Be aware that password protection cannot be disabled on “transferable” sites/environments. A transferable site must first be unlocked or transferred to remove password protection.

  1. Log in to the User Portal
  2. Click on the environment name you wish to disable password protection on
  3. Click Utilities
  4. Locate the section Block/Unblock Traffic
  5. Disable the toggle for the environment

NOTE: “legacy staging” here refers to legacy 1-click staging and not the same Staging environment you may normally see within your User Portal


Common Issues

I can’t change the username

The username for password protection is always your environment name. This username cannot be changed.

I get multiple login prompts

Some users may be prompted to enter the username and password more than one time in order to view the site. This can occur when you have content or assets loading from more than one domain. For example, you might have images at myenvironment.wpengine.com/image.jpg as well as www.mycoolsite.com/image2.jpg.

To avoid this, ensure your assets’ paths utilize only a single domain, or use relative paths in your site’s code. A search and replace may help correct your site’s database. Disabling plugins and changing theme may be necessary as well until the conflict is resolved in the code.

My password isn’t working

Did you recently copy or deploy your site? You may have references to the previous domain in your site which is causing a conflict. You may even see the incorrect domain in the password protection popup.
Try running a search and replace on your database to the current domain, or disabling plugins and changing the theme.

Do not use a CDN with password protection enabled

Most CDN offerings will be unable to collect and assets as your site cannot be loaded without providing credentials. Leave CDN disabled until password protection is removed.

How do I run a performance test on my site while using password protection?

A third party performance tool will need to be able to access your site to test the speed. This means you need to seek out a test that allows testing behind basic authentication. This feature typically requires an account be created with the test service.

My API cannot connect with basic authentication enabled

You must pass your password protection credentials on to any service that requires connecting to the site during the time the site is password protected.


NEXT STEP: How to unlock a transferable site

Enterprise-grade security and performance for all

Global Edge Security provides a managed web application firewall (WAF), advanced DDOS mitigation, CDN, and automatic SSL installation all powered by Cloudflare.