Nginx Password Protect Directory Downloads – How to Secure


I'm trying to password protect a WordPress login page on my Nginx server. When I navigate to, this brings up the "Authentication Required" prompt (not the WordPress login page) for a username and password. However, when I input the correct credentials, it downloads the PHP source code (wp-login.php) instead of showing the WordPress login page.

Permission for my htpasswd file is set to 644.

Here are the directives in question within the server block of my website's configuration file:

location ^~ /wp-login.php {
auth_basic            "Restricted Area";
auth_basic_user_file  htpasswd;

Alternately, here are the entire contents of my configuration file (including the above four lines):

server {
    listen *:80;


    root   /var/www/;

    index index.html index.htm index.php index.cgi index.xhtml;

    error_log /var/log/ispconfig/httpd/;
    access_log /var/log/ispconfig/httpd/ combine$

    location ~ /\. {
        deny all;
       access_log off;
        log_not_found off;

    location = /favicon.ico {
        log_not_found off;
        access_log off;

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;

    location /stats/ {

        index index.html index.php;
        auth_basic "Members Only";
        auth_basic_user_file /var/www/web/stats/.htp$

    location ^~ /awstats-icon {
        alias /usr/share/awstats/icon;

    location ~ \.php$ {
       try_files /b371b8bbf0b595046a2ef9ac5309a1c0.htm @php;

    location @php {
        try_files $uri =404;
        include /etc/nginx/fastcgi_params;
        fastcgi_pass unix:/var/lib/php5-fpm/web11.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_intercept_errors on;

    location / {
    try_files $uri $uri/ /index.php?$args;
    client_max_body_size 64M;

    location ^~ /wp-login.php {
    auth_basic            "Restricted Area";
    auth_basic_user_file  htpasswd;


If it makes any difference, I'm using Ubuntu 14.04.1 LTS with Nginx 1.4.6 and ISPConfig

Best Answer

Let me translate the current config. Whenever browser request /wp-login.php, the request only matches section location ^~ /wp-login.php, not including your php-fpm configuration. So, nginx just apply the auth_basic and then spit out the source code of wp-login.php because nginx can't parses it.

The solution is adding php-fpm section like this

    include /etc/nginx/fastcgi_params;
    fastcgi_pass unix:/var/lib/php5-fpm/web11.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_intercept_errors on;

inside your location ^~ /wp-login.php directive.

Source: Protecting The Wordpress Login In Nginx