Searching for a topic like “Cancel Prompt for htpasswd htaccess displays website” generally gives a lot of results with unrelated information and this one was not an exception. Plenty of instructions on ‘how to configure’ but relatively few on what to do if it fails.
The cause of this dilemma was that a CPanel configuration for Directory Privacy was displaying the protected website home page if Cancel was selected 3 or more times when the htaccess password prompt was displayed.
Directory Privacy, the CPanel interface option for configuring htaccess and htpasswd files for Apache websites, provides a ‘user friendly’ method to add specific user names and passwords to block public viewing of a website via a web browser.
In this instance my search terms eventually led me to this explanation https://core.trac.wordpress.org/ticket/42120 which is credited to a number of others for the solution.
To keep it simple, if you are experiencing a web page that is meant to be protected by .htaccess / .htpasswd, but it is being displayed if the Cancel option is selected at the password prompt, then check your .htaccess rule.
- Edit the .htaccess file in your home folder or website root (assumes that it is the whole site being protected)
- Find the line RewriteRule . /index.php [L]
- Replace with RewriteRule ./ /index.php [L]
This worked in my case and as always your mileage may vary.