How to Password Protect WordPress Admin Directory?
Ready to take your WordPress blog’s security to the next level?
Recently, we have shown you how to change the WordPress login URL and make it custom. It will help us to deny access to unauthorized users. However, in that article, we said you could protect the wp-admin directory with a username and password.
It will double the security of your blog.
And guess what… This post will show you how to password-protect the WordPress admin directory. Also, how to make your blog more secure! Here, we have a step-by-step guide for all beginners!
Why Password Protection Is a Good Idea?
Our previous article says WordPress (self-hosted) is the best CMS for creating blogs and websites. And right now, there are more than 75 million WordPress installations are active! Unfortunately, due to that fact, hackers will try gaining access to your blog through a core vulnerability or via an outdated plugin.
When a beginner starts a blog, he will probably not care about the website’s security. However, password-protecting the wp-admin directory could prevent unauthorized access to our admin page and brute-force attacks.
Many famous blogs and websites are already protected their admin page using this method!
Do We Need to Use Any WordPress Plugins?
Absolutely no.
A few WordPress security plugins are available, like Sucuri Security, Wordfence, etc., which will improve our overall WordPress security. However, we don’t want to use any of them.
However, you could also consider a security plugin on your blog as a backup option. Personally, we would use and recommend Sucuri.
How to Password Protect WordPress Admin Section?
So, let’s begin.
You need to edit some of your files. You need cPanel access or an FTP account and a client like FileZilla. In our case, we will always choose the cPanel file manager for accessing the website files and for editing.
Just log in to the cPanel and find the file manager.
Open the file manager to see all the website’s files.
From the cPanel’s settings, enable the hidden files.
Now, it will show you all the hidden files (files that start with *.*)
Create a new file and name it. You could call it anything. In this case, we are going to name it .orhubpw. You must put the period (.) before the file’s name.
Now, edit the file.
And you will be landed on the editor. This is where we add and remove contents to the file.
Great. Let’s move to the next step.
Creating Password
To create a Htpassword, go to this website.
Enter your
- Username,
- Password
there and create a new Htpassword file.
And on the next page, you can see an encrypted password.
Copy the complete text from there and paste it into your .orhubpw file. Also, don’t forget to save the file.
Right. The next thing we need to do is, create a .htaccess file under the home directory. Not in the public_html folder. Just where we are right now.
You could create the .htaccess file just like we made the .orhubpw file.
Now, edit the .htaccess file.
Copy the code from below.
ErrorDocument 401 "Sorry. Unauthorized Access. You are not allowed to access /wp-admin/ page." ErrorDocument 403 "Forbidden" <FilesMatch "wp-login.php"> AuthName "Authorized Only" AuthType Basic AuthUserFile /home/username/.orhubpw require valid-user </FilesMatch>
You need to paste the code in your newly created htaccess file. Before saving it, we need to make some changes.
- Edit the cPanel username.
- Edit the .htpassword file name.
Let’s say that your cPanel username is Chris. Also, the htpassword file name is chrispw. The file location would be like AuthUserFile /home/Chris/.chrispw. You may want to change it according to your location and username.
Once you save the file, you are done!
So whenever someone tries to access your blog’s admin area, probably they will see a username and password box.
They won’t see the login page if they don’t have the correct username and password. If they click the cancel button, they will be redirected to the error message.
Cool, isn’t it?
Troubleshooting
You will not see an authentication box when logged in to the blog. You could try the admin URL in an incognito window to test it.
If you really care about your WordPress blog’s security, you may want to consider something like this. This will take only 5 minutes to set up. However, hiring an expert will cost $250/ hour to fix a hacked WordPress blog.
This primary security feature will protect your blog from small attacks!
That’s it! This is how you can password-protect the WordPress admin directory. If you got any issues, you could comment down or contact us.
About the Author
Did you find the article useful?
Then pin me to your Pinterest Board, so that more people will find me
(Remember: The more you give to the Universe, the more you will get from the Universe)
So, Pin meEnter your Email Address below and be the FIRST to receive our Blogging Tips.
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
Andrei says
Hi guys,
After the first user enumeration, brute force a security plugin will block that IP address.
If you password protect the wp-admin directory the plugin can no longer block that IP. As a consequence such IPs will put a load on your server, slowing down website response time (or even taking it down).
Is that a correct assessment?
Nirmal Kumar says
Hey Andrei,
Your idea could be correct. But, we are yet to try this out on our test websites. Have you faced a similar issue on any of your websites?