Password Protect Your WordPress Admin!
- Updated: Dec 10, 2016
Security is an incredibly important aspect of running your online business. There are certain parts of your website which are certainly more important than others. An example would be access to the administrative areas of your website where significant changes can be made.
I’ve already talked about how you can harden the security measures on your login page for your WordPress website. In summary, you’ll need to:
- Use a strong password and unusual username to prevent brute force attacks.
- Enforce SSL to encrypt communication across the web.
- Limiting the number of login attempts.
- Employ two factor authentication.
- And finally also hide your login page and your wp-admin pages.
You can read more about each of those security measures on my article titled, “5 Steps To Secure A WordPress Login Page“.
This particular tutorial deals with only your WP-Admin page; the previous article advocated using obscurity to change the address of your WordPress Admin page so as to throw would be mischief makers off their game.
That is one strategy. The alternate strategy for added security is using an extra layer, yet another wall that requires a password to access. You can, of course, employ them both.
Create A Password Protected Directory – cPanel
You can create a password protected directory from your cPanel (most web hosts use cPanel). The procedure is similar with most hosting services. However, if yours does not utilize cPanel, you may want to ask your support for guidance in accessing this area of your site. Below are screenshots I’ve taken are from Bluehost’s demo cPanel.
Find the directory password icon and select it. Once you do, if WordPress has been installed, then you should be able to find the wp-admin folder. Select the folder (wp-admin) for which you would like to create a password protected directory.
In the next screen, you can edit the name of the chosen directory and activate password protection. Create a user with a username and a password (make sure it’s strong), and you are done. You’ve password protected your wp-admin folder.
Many WP site owners attempt to do this and it causes some aspects of their website to break down. So if you aren’t fully comfortable about using the cPanel and editing WordPress, you might want to back up your website first.
Also remember anything inside the wp-admin folder also becomes inaccessible without the username and password. For example, if a site owner has multiple users and they all access the site’s wp-admin folder frequently, password protecting it may not be the best idea.
Going the Manual Route
This is a two-step method. First, you need to create two pieces of code. We’ll use a third party tool, freely available in Dynamic Drive.
Uploading it to the right path and the right directory is important. There is an extensive FAQ section at the end of the tool, please read it if you find yourself in unfamiliar territory.
Enter path as:
And click on “Submit”. What follows is largely well explained and can be easily replicated on your own WordPress site. Add the first part of the generated code to your .htaccess file and upload it to wp-admin (folder you wish to protect) with a file transfer client of your liking. Add the second part of the code as part of a .htpasswd file to a non-public folder.
An important point being made is the fact that the .htpasswd file should be in a non-public folder. We wouldn’t want anyone sniffing though your site’s code to come across this file now, would we?
Some users have complained that this modification can cause difficulties. If you have a plugin that runs AJAX at the front end, you might break it.
Add the following code to your .htaccess file in wp-admin; it should help overcome any difficulties due to the newly password enforced directory.