Ready to take your WordPress blog’s security to the next level?… Recently, I have shown you how to change the WordPress login URL and make it a custom one. It will help us to deny access to unauthorized users. However, in that article, I have said you could protect the wp-admin directory with a username and password.

It will double the security of your blog.

and guess what… In this post, we are going to show you how you can password protect WordPress admin directory. Also how to make your blog more secure! Here, we have a step by step guide for all beginners!

Why Password Protection Is a Good Idea?

As I told in my previous article, WordPress (self-hosted) is the best CMS for creating blogs and websites. And right now, there are more than 75 million WordPress installations are active! Due to that fact, hackers will try gaining access to your blog through a core vulnerability or via an outdated plugin.

When a beginner starts a blog, probably he will not care about the security of his website. By password protecting the wp-admin directory, we could prevent unauthorized access to our admin page and also brute force attacks.

There are so many popular blogs and websites are already protected their admin page using this method!

Do We Need To Use Any WordPress Plugins?

Absolutely no.

There are a few WordPress security plugins are available like Sucuri Security, Wordfence, etc which will improve our overall WordPress security. For doing this, we don’t want to use any of them.

However, you could also consider a security plugin on your blog as a backup option. Personally, I would use and recommend Sucuri.

How To Password Protect WordPress Admin Section?

So, let’s begin.

You need to edit some of your files. For that, you need cPanel access or an FTP account and a client like FileZilla. In our case, we will always choose cPanel file manager for accessing the website files and for editing.

Just log in to the cPanel and find file manager.

password protect wordpress admin

Open the file manager and you could see all the website’s files.

file manager of website

From the cPanel’s settings, enable the hidden files.

hidden files in cpanel

Now, it will show you all the hidden files (files which starts with *.*)

hidden files in cpanel

Create a new file and name it. You could call it anything. In this case, we are going to name it .orhubpw. You must put the period (.) before the file’s name.

.htpassword file

Now, edit the file.

edit htpassword file

and you will be landed on the editor. This is where we add and remove contents to the file.

cpanel editor

great. Let’s move to the next step.

Creating Htpassword

For creating a Htpassword go to this website.

htpassword generator

Enter your

  • Username,
  • Password

there and create a new Htpassword file.

create htpassword

and on the next page, you could see an encrypted password.

htpassword is created

Copy the complete text from there and paste it in your .orhubpw file. Also, don’t forget to save the file.

save the password file

Right. Next thing we need to do is, create a .htaccess file under the home directory. Not in the public_html folder. Just where we are right now.

You could create the .htaccess file just like we created the .orhubpw file.

Now, edit the .htaccess file.

htaccess editing

Copy the code from below.

ErrorDocument 401 "Sorry. Unauthorized Access. You are not allowed to access /wp-admin/ page."
ErrorDocument 403 "Forbidden"
<FilesMatch "wp-login.php">
AuthName "Authorized Only"
AuthType Basic
AuthUserFile /home/username/.orhubpw
require valid-user

You need to paste the code in your newly created htaccess file. Before saving it, we need to make some changes.

  • Edit the cPanel username.
  • Edit the .htpassword file name.

Let’s say that your cPanel’s username is Chris. Also, the htpassword file name is chrispw. The file location would be like AuthUserFile /home/Chris/.chrispw. You may want to change it according to your location and username.

Once you saved the file, you are done!

So whenever someone tries to access your blog’s admin area, probably they will see a username and password box.

wp admin page protected

They won’t be able to see the log in page if they don’t have the right username and password. If they click on the cancel button, they will be redirected to the error message.

wpadmin authentication failed

Cool, isn’t it?


You will not see an authentication box when you are already logged in to the blog. For testing it, you could try the admin URL in an incognito window.

If you really care about your WordPress blog’s security, you may want to consider something like this. This will take only 5 minutes to set up. However, fixing a hacked WordPress blog will cost $250/ hour when you hire an expert.

This basic security feature will protect your blog from small attacks!

That’s it! This is how you can password protect WordPress admin directory. If you got any issues, you could comment down or contact us. We’d be happy to help you! And don’t forget to add this pin to your Pinterest board.

How To Password Protect WordPress Admin Directory - Pinterest Image

Image Credits: Freepik

For more related posts, probably you need to check out our blog section.

Crafted by Christina
Christina is an author at OnlineRockersHub. She mainly writes WordPress tutorials, how-to guides, product reviews for the community! Also handles the OnlineRockersHub Deals section!

Follow on: Facebook, Twitter And read all posts by Christina

Join our Facebook Group!

Let's discuss more about Blogging.

You have Successfully Subscribed!

Pin It on Pinterest