How to Password Protect Your WP Admin Folder in Wordpress
How To Password Protect Your WP Admin Folder in WordPress
There’s thousands of WordPress sites hacked every month.
The reason hackers can get in and do damage is because many beginners don’t lock down access to vunerable files.
An easy way to protect your installation is to install an all in one security plugin like WordFence.
On top of this, you can also password protect your WordPress administration directory folder named wp-admin.
This folder contains the login files to access your WordPress dashboard.
Password Protect wp-admin Folder
You can password protect your wp-admin folder 2 ways.
- Using the security section in cPanel or your web hosts password protection feature. (depends on which web host you use)
- Manually create both a .htaccess file and .htpasswds file for your wp-admin directory
Let’s take a look at how to enable password protection for your wp-admin directory on your website. We will also look at how to create users who are allowed access to that specific directory using a password.
Netfirms Hosting Clients
Here’s the tutorial and video you can watch to learn more about password protecting specific directories if you’re a netfirms user.
Cpanel Users
Login to cPanel and navigate to the Security section.
Click the Password Protect Directories
- Check the Password protect this directory box
- Name the protected directory
Create a User
- Enter a strong username
- Enter a strong password
- Add the authorized user
Password protection allows you to require a username and password to access a folder within your site from the web. When password protecting a folder, there are a few things to remember.
Protecting a folder will protect all folders within that folder. Also, you will need to create users who can access the protected directory. You can give the password protected directory any name, no matter what the actual directory is called.
Source: Hostgator
Manually Password Protect wp-admin directory
To secure your wp-admin folder, we’ll use a tool to create code for 2 files.
We’ll then create the 2 new files and upload them to 2 different locations.
- Create & upload a new .htpasswd file to a non public_html directory.
- Create & upload a new .htaccess file to your wp-admin folder.
The online tool we’ll be using will create the code you need to place inside the 2 different files.
Step 1 Create .htaccess Code Using Dynamic Drive
One of the best tools which creates the code needed to password protect your folders is from Dynamic Drive.
- Create a username and password for the directory you want to secure
- Enter the path to your .htpasswd file (Use the path above and change the username which you currently use on your server).
- Click submit
Create & Upload .htaccess File
The next step is to copy the generated code and paste it into a new file named .htaccess.
Then upload the file into the directory you want to password protect (wp-admin).
Use FTP to upload the file or create the new file using your web hosts File Manager in cPanel.
Place the file inside your wp-admin folder on your server.
If you suffer Ajax errors, include this code in the file <Files admin-ajax.php>
Step 2. Create a .htpasswd File
- Create a new file using notepad or your web hosts file manager named .htpasswd
- Paste the generated code for .htpasswd into the file and upload it to the same location you entered here: AuthUserFile
Note: Your .htpasswd file should be uploaded to a non public folder above your public HTML folder, to prevent visitors from viewing your file.
An example of a path outside public_html is:
home/serveruser/htpasswds/public_html/wp-admin/.htpasswd/
Replace serveruser with your own server username.
Change File Permissions
To protect your admin folder even further, you can change the write permissions on both files to 444.
Do this in your web hosts cPanel account using File Manager or use FTP.
Server Errors
You may run into problems when uploading these 2 files to your server.
It really depends on how your web host has configured your server.
If you suffer 404 page not found error or server errors, delete the files and contact your hosting admin for support.