Password Protect your WordPress Admin Folder

#wordpress

WordPress websites and blogs are prone to Brute Force attacks and a recommended way to prevent your site against such attacks is to protect your wp-admin folder with a password. Let me explain.

Your WordPress installation directory has three main folders:

  • the wp-content folder includes all your themes, plugins, images and other uploaded files.
  • the wp-includes folder includes all the PHP functions that actually run WordPress.
  • the wp-admin folder is the front-end for WordPress admin, authors and and other members.

Unlike the public HTML pages and images of your WordPresss website, the Admin dashboard area requires a username and password and is thus accessible only to “authorized” users. However, to make your WordPress more secure, you can add an extra layer of security to the wp-admin folder so that even authorized users can’t just get in with their WordPress passwords.

Secure wp-admin directory of WordPress with a Password

Here’s a step by step guide on how to password protect the wp-admin folder of WordPress. This assumes that you have installed WordPress on a Linux machine with the Apache web server.

Step 1. Log in to your Linux shell and create a new directory that is not accessible from the web. For instance, if your WordPress is installed in /home/peter/example.com/wordpress, you can create a folder as /home/peter/admin (you can give any name).

$ mkdir /home/peter/admin

Step 2. Now we need to specify the username and password that will protect the wp-admin folder. This is independent of your Linux shell user name or your WordPress user.

Run the following command and remember to replace username with another name.

$ htpasswd -c /home/peter/admin/passwords username

Step 3. The above command will create a passwords file inside the /home/peter/admin folder. You can run the “cat” command to view the encrypted htaccess password stored in the passwords file. Next we need to tell Linux to use this password to protect the wp-admin folder.

Go to your WordPress admin folder (at /home/peter/example.com/wordpress/wp-admin/) and create a new .htaccess file - (either use the vi command or create the .htaccess file on your desktop and upload it to wp-admin folder using FTP).

Also see: Improve WordPress Security with Plugins

Step 4. Paste the following text into your new .htaccess file and replace the folder path in Line #3 with your own actual path. Save the changes.

AuthType Basic
AuthName "WordPress Protected Area"
AuthUserFile /home/peter/admin/passwords
Require valid-user
<Files admin-ajax.php>
  Order allow,deny
  Allow from all
  Satisfy any
</Files>
<Files "\\.(css|gif|png|js)$">
  Order allow,deny
  Allow from all
  Satisfy any
</Files>

Step 5. Switch to the WordPress root folder (/home/peter/example.com/wordpress), open the .htaccess file for editing and add the following lines outside the #BEGIN WordPress and #END WordPress block.

#Do not display Authorization Error Message
#Instead, redirect to the blog home page
ErrorDocument 401 /

Save the file and you are done. All users of your WordPress (including you) will now have to enter two passwords to access the WordPress Admin dashboard.

See more Linux Commands for WordPress.

Amit Agarwal is a web geek, solo entrepreneur and loves making things on the Internet. Google recently awarded him the Google Developer Expert and Google Cloud Champion title for his work on Google Workspace and Google Apps Script.

Awards & Recognition

Google Developer Expert

Google Developer Expert

Google awarded us the Developer Expert title recogizing our work in Workspace

ProductHunt Golden Kitty

ProductHunt Golden Kitty

Our Gmail tool won the Lifehack of the Year award at ProductHunt Golden Kitty Awards

Microsoft MVP Alumni

Microsoft MVP Alumni

Microsoft awarded us the Most Valuable Professional title for 5 years in a row

Google Cloud Champion

Google Cloud Champion

Google awarded us the Champion Innovator award for technical expertise

Want to stay up to date?
Sign up for our email newsletter.

We will never send any spam emails. Promise 🫶🏻