Skip to content


How-to Guides

Technical References

Restricting Site Access /

Restricting access via Basic Authentication

Basic Authentication is the “pop up” prompt for a username and password that is displayed by your browser when you visit a site that is protected in this way.

While a site is under development, and for non-production sites, you can set up Basic Authentication via your VIP Dashboard.

It is not possible for launched production sites to use Basic Authentication, as this form of access control breaks various VIP Go platform services.

Note: Basic Authentication is also incompatible with WordPress Core’s Application Passwords feature.


Enable Basic Authentication in the VIP Dashboard by visiting the Settings > Basic Authentication > Configure.

Select the desired environment from the dropdown, e.g. “production” or “develop.” Enter the username and password information for any user who should have access to your app via Basic Authentication. The password you enter will be encrypted when stored; you do not need to enter an encrypted version of the password. If you are using a multisite WordPress install, the Basic Authentication restrictions you create will apply to all subsites.

Once you’ve added credentials, you can remove them from the site by deleting the users. To completely remove all Basic Authentication restrictions, remove all users.

Removing a user from basic auth

Techniques for restricting access

Restricting via Basic Auth (Full Site)

When and how to use

If you want to restrict access to the entire site in the form of a username/password challenge, you can use our Basic Auth feature.

This is useful when you do not have a static list or range of IP addresses for your team. Common uses for Basic Auth are non-production/test environments and pre-launch production environments that are under development.

What is restricted

Once enabled, any requests without the proper username and password combination will be rejected.

The restriction applies to all requests to the environment: cached and uncached requests, static files, media files, and dynamically generated content.

Content is also blocked from Jetpack’s content distribution tools. For more information on how to change this behavior, please see Controlling Content Distribution via Jetpack.

Last updated: August 25, 2021