How To Password Protect Your WP Admin Folder in WordPress

There’s thousands of WordPress sites hacked every month.

The reason hackers can get in and do damage is because many beginners don’t lock down access to vunerable files.

An easy way to protect your installation is to install an all in one security plugin like WordFence.

On top of this, you can also password protect your WordPress administration directory folder named wp-admin.

This folder contains the login files to access your WordPress dashboard.

Password Protect wp-admin Folder

You can password protect your wp-admin folder 2 ways.

  1. Using the security section in cPanel or your web hosts password protection feature. (depends on which web host you use)
  2. Manually create both a .htaccess file and .htpasswds file for your wp-admin directory

Let’s take a look at how to enable password protection for your wp-admin directory on your website. We will also look at how to create users who are allowed access to that specific directory using a password.

Netfirms Hosting Clients

Here’s the tutorial and video you can watch to learn more about password protecting specific directories if you’re a netfirms user.

Cpanel Users

Login to cPanel and navigate to the Security section.

Control Panel

Click the Password Protect Directories

Password Protect Directories

  • Check the Password protect this directory box
  • Name the protected directory

Security Settings - Create a User

Create a User

  • Enter a strong username
  • Enter a strong password
  • Add the authorized user
Password protection allows you to require a username and password to access a folder within your site from the web. When password protecting a folder, there are a few things to remember.

Protecting a folder will protect all folders within that folder. Also, you will need to create users who can access the protected directory. You can give the password protected directory any name, no matter what the actual directory is called.

Source: Hostgator

Manually Password Protect wp-admin directory

To secure your wp-admin folder, we’ll use a tool to create code for 2 files.

We’ll then create the 2 new files and upload them to 2 different locations.

  1. Create & upload a new .htpasswd file to a non public_html directory.
  2. Create & upload a new .htaccess file to your wp-admin folder.

The online tool we’ll be using will create the code you need to place inside the 2 different files.

Step 1 Create .htaccess Code Using Dynamic Drive

One of the best tools which creates the code needed to password protect your folders is from Dynamic Drive.

htaccess password generator

  • Create a username and password for the directory you want to secure
  • Enter the path to your .htpasswd file (Use the path above and change the username which you currently use on your server).
  • Click submit

Create & Upload .htaccess File

The next step is to copy the generated code and paste it into a new file named .htaccess.

.htaccess generated code

Then upload the file into the directory you want to password protect (wp-admin).

Use FTP to upload the file or create the new file using your web hosts File Manager in cPanel.

Place the file inside your wp-admin folder on your server.

If you suffer Ajax errors, include this code in the file <Files admin-ajax.php>

Step 2.  Create a .htpasswd File

  • Create a new file using notepad or your web hosts file manager named .htpasswd
  • Paste the generated code for .htpasswd into the file and upload it to the same location you entered here: AuthUserFile

.htpasswd generated code

Note: Your .htpasswd file should be uploaded to a non public folder above your public HTML folder, to prevent visitors from viewing your file.

An example of a path outside public_html is:

home/serveruser/htpasswds/public_html/wp-admin/.htpasswd/

Replace serveruser with your own server username.

Change File Permissions

To protect your admin folder even further, you can change the write permissions on both files to 444.

Do this in your web hosts cPanel account using File Manager or use FTP.

Server Errors

You may run into problems when uploading these 2 files to your server.

It really depends on how your web host has configured your server.

If you suffer 404 page not found error or server errors, delete the files and contact your hosting admin for support.

Resources


Comments

2 responses to “How To Password Protect Your WP Admin Folder in WordPress”

  1. did it and it works fine, but now all other subscribers have to know my .htpasswd to login and new subscribers also, is it possible to circumvent this?

    regards

    1. Brad Dalton Avatar
      Brad Dalton

      John

      That’s exactly what it does.

      If you don’t want to password protect the folder from all users, this code isn’t for you.

      Use a plugin which gives you more flexibility

Leave a Reply