Skip to content
WordPress

WordPress 401 Unauthorized: Restoring Admin Access

Learn how to fix the WordPress 401 Unauthorized error by correcting authentication issues, server rules, plugins, and security configuration.

WordPress 401 Unauthorized: Restoring Admin Access

You’ll find the complete rundown in our WordPress Errors Complete Guide.

The WordPress 401 unauthorized error is not the same as the 403 forbidden error — and confusing them leads to applying the wrong fixes. The 403 error means the server refuses access regardless of who you are. The WordPress 401 unauthorized error means the server requires authentication credentials that have not been provided or that were provided incorrectly. The distinction matters because 401 is specifically about missing or incorrect credentials, not about permissions on a resource. When you see the WordPress 401 unauthorized error, the server is asking for valid authentication, not telling you that you are categorically denied. That shifts the diagnosis toward credentials, authentication configuration, and security layers rather than toward file permissions and access control rules. The WordPress 401 unauthorized error appears in several distinct contexts on WordPress sites — on the admin panel, on REST API requests, after enabling HTTP Basic Authentication, and through security plugin configurations — and each context has its own specific resolution.

What Triggers the WordPress 401 Unauthorized Error

The HTTP 401 status code means “authentication required.” When a browser receives a 401 response, it typically shows a native authentication dialog prompting for a username and password — this is distinct from the WordPress login page, which is an application-level authentication handled by WordPress itself. The WordPress 401 unauthorized error from HTTP Basic Authentication produces the browser’s own credential dialog, while the WordPress 401 unauthorized error from a REST API endpoint typically returns a JSON response with an error message rather than triggering the browser dialog.The contexts in which the WordPress 401 unauthorized error most commonly appears in WordPress:HTTP Basic Authentication added to .htaccess is the most disruptive cause — it places a credential wall in front of the entire site or specific directories, requiring a separate username and password before any WordPress content loads. This is legitimately used to protect staging sites from public access but breaks WordPress functionality when applied incorrectly. The WordPress REST API returning 401 responses is the second most common context, typically caused by a security plugin restricting API access to authenticated users or requiring application passwords. The third context is a WordPress-level authentication issue — a plugin that has added extra authentication requirements to admin panel access, or a misconfigured role-restriction plugin that has locked out an admin user by reassigning their role.The WordPress 401 unauthorized error on the front end — where visitors see the authentication dialog or a 401 page when trying to access the site — is almost always caused by an unintended HTTP Basic Authentication configuration. The WordPress 401 unauthorized error on the admin panel specifically (while the front end works fine) is more likely a WordPress-level authentication problem. The WordPress 401 unauthorized error on API requests that previously worked suggests a recent security plugin configuration change. Each pattern points toward a different root cause and fix.

Fix HTTP Basic Authentication Causing the WordPress 401 Unauthorized Error

HTTP Basic Authentication is configured in two places: the .htaccess file (which activates the authentication requirement) and an .htpasswd file (which stores the usernames and hashed passwords). When the WordPress 401 unauthorized error appears across the entire site or a specific directory, check whether these files exist and whether the configuration in .htaccess is intentional.
  1. Connect to your server via FTP with hidden files visible
  2. Open the .htaccess file in the WordPress root and search for these directives: AuthType Basic, AuthName, AuthUserFile, Require valid-user
  3. If these lines are present and the HTTP Basic Authentication is not intentional — perhaps a developer added it for a staging period and never removed it — delete these lines and save the file
  4. Look for an .htpasswd file in the same directory or the path referenced in AuthUserFile — this file stores credentials and can also be deleted if the protection is no longer needed
  5. Reload the site — the WordPress 401 unauthorized error caused by Basic Authentication disappears immediately when the directives are removed
If the HTTP Basic Authentication is intentional — protecting a staging site from public indexing while development continues — but the WordPress 401 unauthorized error is breaking WordPress functionality like the block editor, REST API calls, or WooCommerce checkout processes, you need to exempt internal WordPress requests from the authentication requirement. Add BrowserMatch "WordPress" auth-nologin to the .htaccess auth block, or configure the staging protection through your hosting panel’s password protection feature, which typically handles the internal WordPress request exemption more gracefully than a manual .htaccess implementation.

WordPress REST API and the 401 Unauthorized Error

REST API requests returning the WordPress 401 unauthorized error indicate that the REST API endpoint requires authentication and the request did not include valid credentials. This is the intended behaviour when security plugins restrict REST API access — unauthenticated external requests receive a 401 to prevent public access to user lists and other potentially sensitive endpoints. The problem arises when this restriction is applied too broadly, also blocking REST API requests made by WordPress itself for legitimate admin functions.The block editor uses the REST API with cookie-based nonce authentication for all save operations. A security plugin that requires application password authentication for all REST API requests — rather than allowing cookie-based authentication for logged-in admin users — breaks the block editor’s save functionality and produces the WordPress 401 unauthorized error on every post save attempt. Check every active security plugin’s REST API settings and ensure that cookie-based authentication (used by logged-in WordPress users) is allowed alongside or instead of application password requirements.Application passwords — introduced in WordPress 5.6 — are the intended authentication mechanism for external REST API clients. If an external application or script is receiving the WordPress 401 unauthorized error when accessing the REST API, verify that the application is using the correct application password rather than the user’s login password, and that the application password has not been revoked. Application passwords are managed per-user under Users → Profile → Application Passwords in the WordPress admin. The WordPress 401 unauthorized error from an expired or revoked application password is a credential issue rather than a configuration issue — generating a new application password for the application resolves it.

Security Plugins Causing the WordPress 401 Unauthorized Error

Security plugins with aggressive authentication requirements are one of the most common sources of the WordPress 401 unauthorized error in production WordPress environments. The specific plugin features most likely to produce the WordPress 401 unauthorized error inadvertently:
  • Login page protection: Some plugins add an HTTP Basic Authentication layer in front of the WordPress login page as an additional security measure. If the credentials for this layer are not known or have been changed, even the site owner cannot reach the WordPress login form — receiving the WordPress 401 unauthorized error before WordPress’s own authentication even runs
  • Admin panel restriction by IP: Plugins that restrict admin access to specific IP addresses return a 401 (or 403) when an admin accesses from an unrecognised IP — which produces the WordPress 401 unauthorized error every time the admin works from a new location or after an IP change
  • Two-factor authentication failures: Plugins that add two-factor authentication to WordPress admin access produce the WordPress 401 unauthorized error when the second-factor verification fails or when a device is not recognised after clearing browser cookies
  • REST API access restrictions: As covered above, overly broad REST API restrictions produce the WordPress 401 unauthorized error for admin REST operations that should be permitted
Deactivating security plugins via FTP (renaming their folder in wp-content/plugins/) and testing whether the WordPress 401 unauthorized error clears confirms whether a security plugin is the cause. Reactivating plugins one at a time identifies the specific offender. Most security plugins expose their authentication-related settings on a dedicated settings page within WordPress — the fix is usually a single configuration change rather than permanent plugin removal.

Cloudflare and Hosting Firewalls Behind the WordPress 401 Unauthorized Error

The WordPress 401 unauthorized error that originates from Cloudflare’s or a hosting provider’s firewall operates above the WordPress level — WordPress never receives the request, and the firewall returns the 401 directly to the browser. This means WordPress plugin deactivation and .htaccess changes have no effect because the interception happens before the request reaches the server.Cloudflare Access — a Zero Trust product that adds authentication requirements to specific URLs — is the Cloudflare feature most likely to produce the WordPress 401 unauthorized error. If a Cloudflare Access policy covers the WordPress site or admin panel URL, visitors and admins receive the WordPress 401 unauthorized error (or a Cloudflare authentication page) until they complete the required authentication. Check the Cloudflare dashboard under Access → Applications to see whether any policies are applied to your site’s domain. Adjusting or removing the policy resolves the WordPress 401 unauthorized error for users who should have unrestricted access.Hosting providers that implement their own authentication layers — for cPanel-based sites in maintenance mode, for accounts with overdue invoices, or for accounts under security review — can also produce the WordPress 401 unauthorized error at the infrastructure level. If the WordPress 401 unauthorized error appears sitewide, affects every URL including non-WordPress resources, and cannot be explained by any WordPress, Cloudflare, or .htaccess configuration, contact your hosting provider’s support and ask whether any account-level authentication requirement has been applied.Our guide on fixing the WordPress 403 forbidden error covers the closely related access-denial error — where the distinction between 401 (credentials required) and 403 (access denied regardless of credentials) determines which fix path is correct for the WordPress 401 unauthorized error versus the 403 scenario. Our guide on how to secure the WordPress admin covers the security plugin configurations — including IP restrictions, two-factor authentication, and login page protection — that most frequently produce the WordPress 401 unauthorized error as an unintended side effect of correct security implementation. The MDN HTTP status code documentation covers the 401 specification in full, including the WWW-Authenticate header mechanism that distinguishes the WordPress 401 unauthorized error from other access-denial responses at the HTTP level.
Nikolas Lamprou

Nikolas Lamprou (MSc; GCFR, SC-200, Security+) has been working with computers professionally since 2009 — starting with web development and e-commerce, and moving into cybersecurity over the years. Based in Greece, he brings over 15 years of real-world IT experience to SolveTechToday, where he writes about Windows fixes, software reviews, security tools, and AI applications. His goal is straightforward: cut through the noise and give readers clear, honest guidance on the tech decisions that matter.

Stay Ahead

Fix your next problem before it starts

Get the week's best Windows fixes, software picks, and security guides delivered straight to your inbox. No noise, just solutions.

Press ESC to close · Try "Windows 11" or "Chrome"