This is perhaps the most overdue blog post of all time - it's an issue I've seen clients come up against in all of my nearly 20 years of making websites! So hopefully this blog post will help explain a hurdle which, when faced, can make a client feel anxious about their new website and nervous that they're not going to be able to handle logging into their site or working with their developer.
Password protecting your website
Basically, there there are times when you may have 2 different logins to access your website. It's for a very good reason, and it's very easy to know when to use which one.
When your website is being built, and you don't want the world to see it yet or Google to index it (there are other ways to block Google but sometimes this one is the most reassuring), your developer can password protect the site using your .htaccess file. You don't need to worry what .htaccess means, but the point is, it means the whole website is blocked to the world.
If you go to a website that's got a .htaccess password protection on it, you'll see a pop up window like this that you need to fill in with what your developer gives you:
The whole page is white other than this dialog box that's popped up by your browser and you can't see anything of the website itself. You'll possibly only see this the first time you visit your staging server / website that's under development, or you might see it every time depending on your browser settings.
Pop in the user name and password your developer has given you to access the staging site, and you'll be shown the site in all it's new glory! The user name and password doesn't need to be super super secure - this is just for your peace of mind really that your big reveal is still going to be that, a surprise to the world!
Once your website is ready to go live, this password protection will be removed. Or, if you've got a permanent staging site, the staging server will always have this but the live version of your site won't.
Meanwhile, you may then need to get into the admin of your website in order to add content, or check some settings. And that is a different login. That one needs to be super super secure as it'll be how access is gained to your live site and so you don't want anyone guessing it.
Your admin login page will probably look a lot nicer than the .htaccess example above. If you're using WordPress it may be WordPress branded, or if you've got a Laravel site build it'll be branded to your site - below are a couple of examples. The point is, it's (generally, now a days) not a popped up little window from your browser - it's an actual form on the page of your website itself.
Here, you enter your own personal admin login - which will be (or should be) unique to you - whereas the .htaccess password which is hiding the site from the world will (usually) be the same for everyone who needs a sneaky peak before launch.
Now, where it can get confusing, is if you get both. If you go to log into the admin of your website on staging, you're likely to see the .htaccess pop up box first if the site is password protected, and then once you're past that, you'll see this actual admin login screen. And you just need to make sure you enter the right credentials into each.