by Kamil Kuzminski Categories: Tips & Tricks, Useful extensions

How to hide your staging system from the public?

Very often, we stumble upon websites in the development phase that are publicly accessible. In this short blog post, we want to show you the easiest and fastest ways to do that.

General concept

Setting up basic HTTP authentication is the most efficient way to hide your website from the public. The term may sound unknown, but you will immediately recognize the solution in the image:

.htaccess + .htpasswd

The most popular way to protect your website is to create the .htaccess file similar to this:

AuthType Basic
AuthName "Area 51"
AuthUserFile /full/path/to/.htpasswd
Require valid-user

Afterward, you have to create the .htpasswd file with the username and password that will be used to authenticate. Since the password is encrypted, I recommend using some online generator tools for this purpose.

You also have to ensure that the path to .htpasswd inside the .htaccess file is correct, which sometimes requires more attention.

Eventually, the file should look something like this:


This solution will undoubtedly protect your website from the public. However, it is a bit cumbersome to set it up, so let's take a look at another solution.

contao-root-protection extension

The contao-root-protection extension by terminal42 gmbh allows you to easily set up the basic HTTP authentication directly from the Contao backend. The end result will be pretty much the same as the first solution, but it will be easier to set it up and manage it later.

After the installation, go to the website root settings of your choice and select the "Enable root protection" checkbox. Then, provide the username and password, and save the record. That's it! From now on, your website will be accessible only after entering the correct credentials.

It has yet another significant advantage – you can easily hide selected website roots and each one with different credentials!

The only drawback is that the Contao backend is not hidden from the public, but that shouldn't matter anyway.


Both solutions are good options for hiding your website from the public, especially in the development phase. It's totally up to you which one you choose, as both serve the same purpose.

Spread the word