Jump to content

Password Protect Your WordPress Admin (wp-admin) Directory

Recommended Posts

  • ✔ Verified Account


As you read the title, you are probably wondering isn’t the wp-admin directory already password protected. You are required to login right. Well that is true, but to add an additional layer of security popular sites often add an extra layer of authentication. Few days ago, we started seeing some suspicious activity on WPBeginner, so our host HostGator advised us to password protect our WordPress admin directory. Apparently popular sites like Mashable do the same. In this article, we will show you a step by step guide on how to password protect your WordPress admin (wp-admin) directory.

To keep things easy and simple, we will only cover cPanel web hosting companies here just because cPanel has an easy enough interface to add password protected directories. 

Login to your cPanel. Scroll down till you see the Security Tab. Click on the “Password Protect Directories” icon.


When you click on that, a lightbox popup will show up asking for directory location. Just click on web root. Once you are there, navigate to the folder where your WordPress is hosted. Then click on the /wp-admin/ folder. You will see a screen like this:



Simply check the box to password protect the directory. Then create a user for the directory. That is it. Now when you try to access your wp-admin directory, you should see an authentication required box like this:


Manual Method

First create a .htpasswds file. You can do so easily by using this generator. Upload this file outside your /public_html/ directory. A good path would be:


Then, create a .htaccess file and upload it in /wp-admin/ directory. Then add the following codes in there:

AuthName "Admins Only"
AuthUserFile /home/yourdirectory/.htpasswds/public_html/wp-admin/passwd
AuthGroupFile /dev/null
AuthType basic
require user putyourusernamehere

You must update your username in there. Also don’t forget to update the AuthUserFile location path.

I have a 404 Error or a Too many redirects error

Well this can happen depending on how your server is configured. To fix this issue, open your main WordPress .htaccess file and add the following code there before the WordPress rules start.

ErrorDocument 401 default

Well there you have it. Now you have double authentication for your WordPress admin area. This is a good alternative to limiting wp-admin access by IP address.

Here is how to fix the Admin Ajax Issue

If you password protect your WordPress Admin directory, then it will break the Ajax functionality in the front-end (if it is being used). In our case, we don’t have any plugins that is using ajax in the front-end. But if you do, then here is how you fix that issue.

Open the .htaccess file located in your /wp-admin/ folder (This is NOT the main .htaccess file that we edited above).

In the wp-admin .htaccess file, paste the following code:

<Files admin-ajax.php>
    Order allow,deny
    Allow from all
    Satisfy any 


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Similar Content

    • By sangcracker
      The WooCommerce UPS Shipping allows a store to obtain shipping rates for your orders dynamically via the UPS Shipping API.
      Founded in 1907 as a messenger company in the United States, UPS has grown into a multi-billion-dollar corporation by clearly focusing on enabling commerce around the globe.
    • By sangcracker
      The Pre-Orders WooCommerce extension allows you to set up pre-orders in your store so customers can order products before they are available.
      Set up pre-orders in your WooCommerce store, so customers can order products before they’re available. You can automatically or manually release and fill orders when you’re ready and let the extension handle the rest!
    • By sangcracker
      Hide My WP is number one security plugin for WordPress. It hides your WordPress from attackers, spammers and theme detectors. Over 26,000 satisfied customers use Hide My WP. It also hides your wp login URL and renames admin URL. It detects and blocks XSS, SQL Injection type of security attacks on your WordPress website.
      The magic starts now… But before it, stick in your mind we don’t change any file or folder and everything is in its default location! we just control access to it and this guarantees maximum compatibility for the plugin.
      Hide wp-login.php
      Try this: hide-my-wp.wpwave.com/wp-login.php Not found!? OK. Try this one: hide-my-wp.wpwave.com/wp-login.php?hide_my_wp=1234 Hide or change wp-admin and all of its files (for untrusted users)
      hide-my-wp.wpwave.com/wp-admin/ – Not found! or Change it to wpwave.com/my-admin/ Change WordPress theme directory, remove theme Info from stylesheet, replace default WP classes and finally minify it!
      hide-my-wp.wpwave.com/template/main.css (Instead: .../wp-content/themes/twentytwelve/style.css) Change plugins directory and hash plugins name
      hide-my-wp.wpwave.com/modules/95578af5/shortcodes.css (Instead: .../wp-content/plugins/zilla-shortcodes/shortcodes.css) hide-my-wp.wpwave.com/modules/95578af5/shortcodes.php – Not found! (Deny access) Change upload URL, wp-includes folder, AJAX URL, etc.
      hide-my-wp.wpwave.com/file/test-image-landscape.jpg (Instead: .../wp-content/uploads/test-image-landscape.jpg) hide-my-wp.wpwave.com/lib/js/jquery/jquery.js (Instead: .../wp-includes/js/jquery/jquery.js) hide-my-wp.wpwave.com/ajax.php – Output 0 (Instead: .../wp-admin/admin-ajax.php) Change WordPress queries URL:
      New URLs:
      hide-my-wp.wpwave.com/?article_id=1 hide-my-wp.wpwave.com/?user=1 hide-my-wp.wpwave.com/?find=hide Old, not working URLs:
      hide-my-wp.wpwave.com/?p=1 – Nothing happen! hide-my-wp.wpwave.com/?author=1 – Nothing happen! hide-my-wp.wpwave.com/?s=hide – Nothing happen! Change author permalink (or disable it!)
      New: hide-my-wp.wpwave.com/admin or wpwave.com/profile/admin (Optional) Old: hide-my-wp.wpwave.com/author/admin – Not found! Change or disable feeds
      New: hide-my-wp.wpwave.com/index.xml New: hide-my-wp.wpwave.com/cat/aciform/index.xml Old: hide-my-wp.wpwave.com/feed/ – Not found! Old: hide-my-wp.wpwave.com/cat/uncategorized/feed/ – Not found! Hide all other WordPress files!
      hide-my-wp.wpwave.com/readme.html – Not found! hide-my-wp.wpwave.com/license.txt – Not found! Disable WordPress archives, categories, tags, pages, posts, etc
      hide-my-wp.wpwave.com/2012/09/ – Not found! hide-my-wp.wpwave.com/?m=201209 – Nothing happen!
    • By c0d1ng
      Pernah mendengar kata HeartBeat sebelumnya? Jika diartikan secara harfiah, heartbeat artinya detak jantung. Lalu apa hubungannya dengan WordPress? Dikutip dari Developer WordPress, HeartBeat merupakan suatu service API yang berfungsi untuk menyediakan informasi real time serta melakukan sinkronisasi data pada server dan tampilan dasbor. Masih bingung? Oke, pelan- pelan ya. Jadi, pernahkah kamu membuat suatu postingan di WordPress? Setelah selesai pasti kamu akan klik post. Dan jika ingin melakukan editing, pasti klik Update. Pernahkan kamu mengamati bahwa WordPress akan senantiasa melakukan update secara otomatis? Atau pernahkah kamu mengamati bahwa WordPress akan selalu melakukan pengecekan koneksi internet secara berkala? Nah, itulah fungsi dari Heartbeat API.
      Kehebatan dan Kelemahan HeartBeat
      Dari beberapa penjelasan di atas, kehebatan HeartBeat sudah tidak diragukan lagi.
      Kamu bisa melakukan editing artikel di WordPress tanpa takut lupa klik Save. HeartBeat API akan melakukan pengecekan koneksi internet dan manajemen session user. HeartBeat API akan selalu menyediakan informasi secara real time dan sinkronisasi data. Namun, di satu sisi HeartBeat API juga memiliki kelemahan. Kelemahannya adalah proses sinkronisasi data yang realtime akan meningkatkan penggunaan CPU sehingga server bisa overload. Nah, inilah yang akan jadi masalah. Penggunaaan CPU Usage yang cukup tinggi akan membebani server lainnya khususnya bagi pengguna shared Hosting. Hal ini tentu saja akan berakibat pada website kamu lho! Website kamu bukannya semakin cepat diakses, malah semakin lambat nantinya. Dari segi performa juga akan menurun.
      Bagaimana solusinya?
      Gampang! Kamu bisa menggunakan Plugin HeartBeat Control yang tersedia di WordPress. Plugin ini akan berfungsi untuk melakukan kontrol frekuensi “denyut” si HeartBeat. Jadi, kamu bisa mengatur frekuensi sinkronisasi data yang digunakan. Misalnya setiap 15 menit atau 30 menit untuk menghindari penggunaan CPU yang berlebihan. Untuk melakukan instalasi, silahkan baca Cara Install HeartBeat Control. Selain itu, ada juga cara biasa yang bisa kamu lakukan. Jangan sekali- kali membuka halaman dashboard/ editor post terlalu lama atau bahkan membukanya di banyak jendela browser.
      Nah, mulai sekarang coba ubah kebiasaan kamu. Fitur HeartBeat WordPress ini sangatlah hebat dan memiliki berbagai keunggulan. Namun, jangan sampai keunggulan ini menjadi duri buat kamu ya DomaiNesians! Jangan sampai website kamu error atau website kamu tersuspend gara- gara CPU Usage yang membengkak. Segera atasi dengan plugin Heartbeat Control ya! ?
    • By c0d1ng
      Take Social Sharing to the Next Level with Monarch. A Social Media Plugin with Style
  • Create New...