Error 401 Unauthorized

A 401 Unauthorized error means the server requires authentication to access the requested page or resource, and either no credentials were provided or the credentials were rejected. This is different from a 403 Forbidden error, which means you're blocked entirely regardless of credentials.

01. What a 401 Error Means

HTTP 401 is an authentication challenge. The server is saying: "I need valid credentials before I'll show you this." Your browser responds by showing a login popup asking for a username and password. If you cancel the popup or enter wrong credentials, you see the 401 error page.

Key differences from related errors:

401 Unauthorized - "Who are you? Prove it." The server wants credentials.

403 Forbidden - "I know who you are and the answer is no." The server is denying access regardless of credentials.

407 Proxy Authentication Required - Same as 401 but the proxy server (not the web server) is requesting credentials. This is a network/corporate proxy issue, not a hosting issue.

02. Common Causes

Directory Privacy (Password Protection) in cPanel

The most frequent cause. Someone enabled password protection on a directory through cPanel and either the password was forgotten, the .htpasswd file was deleted, or the protection was set on the wrong directory (like public_html itself).

Manual .htaccess Authentication Rules

An .htaccess file contains AuthType, AuthUserFile, and Require valid-user directives that were added manually. The .htpasswd file referenced may have been moved, deleted, or the path may be wrong.

WordPress Login or Admin Protection

Some security plugins add HTTP authentication on top of the WordPress login page (wp-login.php) or the admin area (wp-admin/). This creates a double-login scenario where the browser popup appears before the WordPress login form.

ModSecurity False Positive

ModSecurity can return a 401 instead of the usual 403 for certain rule triggers. Check your error logs for ModSecurity entries if the 401 appears on specific form submissions or POST requests.

03. Password Protected Directories

To check if a directory has password protection enabled:

1. Log in to cPanel - Go to my.ultrawebhosting.com and open cPanel
2. Open Directory Privacy - Under the Files section, click "Directory Privacy"
3. Navigate to the directory - Click through the folder tree to the directory showing the 401 error
4. Check the status - If "Password protect this directory" is checked, the directory is protected

To remove protection: Uncheck "Password protect this directory" and click Save. This removes the authentication requirement immediately.

To fix the password: If you want to keep the protection but need to reset the password, scroll down to the user list, delete the existing user, and create a new one with the correct password.

04. htaccess Authentication Issues

If the 401 persists after checking Directory Privacy, there may be manual authentication rules in an .htaccess file. Look for these directives:

AuthType Basic
AuthName "Restricted Area"
AuthUserFile /home/username/.htpasswds/public_html/passwd
Require valid-user

Common problems:

Wrong AuthUserFile path - The path to the .htpasswd file must be absolute (starting with /home/). A relative path will fail silently and reject all credentials.

Missing .htpasswd file - If the file referenced in AuthUserFile doesn't exist, every authentication attempt fails. Check with File Manager or SSH.

Corrupted .htpasswd entries - Each line should be username:encrypted_password. If the file contains blank lines or malformed entries, authentication may fail.

To remove manual authentication, delete or comment out the AuthType, AuthName, AuthUserFile, and Require lines from the .htaccess file. For more on .htaccess editing, see our complete .htaccess guide.

05. WordPress-Specific 401 Errors

401 on wp-login.php

Security plugins like iThemes Security, Wordfence, or All In One WP Security can add HTTP authentication to the login page. Check your security plugin settings for "HTTP Authentication" or "Two-Factor HTTP Auth" options and disable them if they're causing issues.

401 on wp-admin AJAX Requests

If you see 401 errors in the browser console on admin-ajax.php, your authentication cookie may have expired. Log out of WordPress completely, clear your browser cookies for the domain, and log back in.

401 After Moving or Cloning a Site

If you migrated the site, the .htpasswd file path in .htaccess may still reference the old server's home directory. Update the path to match the new server's directory structure.

06. ModSecurity Blocks

ModSecurity (our web application firewall) occasionally triggers on legitimate requests and returns a 401 or 403 error. Signs that ModSecurity is the cause:

The 401 only happens on form submissions - Not on page loads.

The 401 happens intermittently - Some submissions work, others don't.

The error appears in the Apache error log - Check your error log in cPanel > Errors or via SSH at ~/logs/error.log for lines containing "ModSecurity."

If ModSecurity is the cause, open a support ticket with the error log entry. We can add a rule exception for the specific false positive. See our ModSecurity troubleshooting guide for more details.

Quick Recap: Fixing 401 Unauthorized

1. Check Directory Privacy - Look for password protection in cPanel that you may have forgotten about
2. Check .htaccess - Look for AuthType/AuthUserFile directives and verify the .htpasswd path
3. Check security plugins - WordPress security plugins can add HTTP auth on top of the normal login
4. Check error logs - Look for ModSecurity entries if the 401 only happens on form submissions
5. Reset if needed - Remove and recreate password protection with correct credentials

Last updated March 2026 · Browse all General articles