Chat
888.321.HOST(4678)
Support CenterIn this article I’ll show you how to lock down and password protect your WordPress website. We’ll do this by limiting access to the /wp-admin directory and the wp-login.php script.Using these methods you will be able to help prevent unauthorized WordPress Administrator login attempts.
This guide was written in response to the WordPress wp-login.php brute force attack of April 2013.
Password protect WordPress logins
Using the steps below, I’ll show you how to create password protection for your /wp-admin directory. We’ll also copy those rules over to protect your wp-login.php script to keep WordPress as safe as possible.
If you get a redirect loop, make sure you have these ErrorDocument tags in your .htaccess file:
ErrorDocument 401 “Denied”
ErrorDocument 403 “Denied”
Please also make sure to allow /wp-admin/admin-ajax.php requests without password protection.
-
Under the Files section, click on Directory Privacy.
Click the Settings button.
In the pop-up box, select your domain in the drop-down menu labelled Document Root, then click Save Changes
Click on the text, not the folder icon, for your wp-admin directory.
-
Check Password protect this directory, give it a name, then click Save.
Now click on Go Back.
Under the Create User section, input a user name and then click on Password Generator.
In the pop-up mini-window copy the given password, and then check I have copied this password in a safe place.
Then click Use Password.
Now click on Save.
Click on Go Back.
Try to access your /wp-admin directory.
Your browser will prompt you for the password you just created.
Type in your username / password, and click Log In
Your normal WordPress admin login page should now display.
Now go back to cPanel.
Under the Files section, click on File Manager.
Click the Settings button.
Then select the Document Root for your domain, and check Show Hidden Files (dotfiles). Finally, click Save.
From the left-hand directory listing, expand public_html.
Click on wp-admin, then right-click on your .htaccess file.
Then click on Code Edit
For the encoding pop-up, click on Edit again to bypass that.
Copy all the code in the .htaccess file.
While you still have the /wp-admin/.htaccess file open, also go ahead and add the code in red:
ErrorDocument 401 “Denied”
ErrorDocument 403 “Denied”# Allow plugin access to admin-ajax.php around password protection
Order allow,deny
Allow from all
Satisfy any
You may encounter a re-direct loop at this point. If so, please ensure you’ve created the error documents mentioned earlier.
AuthType Basic
AuthName “Secure Area”
AuthUserFile “/home/example/.htpasswds/public_html/wp-admin/passwd”
require valid-user
Now make sure to save the /wp-admin/.htaccess file with the added code in it. Because on the next step you’ll just be editing the /public_html/.htaccess file.
<li style="clear: both;"><a href="/support/wp-content/uploads/2013/04/cpanel_file-manager_cPanel_file_manager_code_edit_public_html_htaccess.jpg" rel="lightbox-0"><img alt="click on public_html and code edit htaccess file" class="std_ss alignright size-full wp-image-11688" height="816" src="https://www.inmotionhosting.com/support/wp-content/uploads/2013/04/cpanel_file-manager_cPanel_file_manager_code_edit_public_html_htaccess.jpg" style="width: 160px; float: right; margin-left: 10px; position: relative; bottom: 15px;" width="777"></a>
From the left-hand directory listing, click on public_html.
Right-click on your .htaccess file, then click on Edit.
Now paste the .htaccess code you copied, in-between some
<
p class=”cli” style=”width: 500px;”> ErrorDocument 401 “Denied”
ErrorDocument 403 “Denied”
AuthType Basic
AuthName “Secure Area”
AuthUserFile “/home/example/.htpasswds/public_html/wp-admin/passwd”
require valid-user
Then click on Save Changes up at the top-right.
Code review
You should now have the /wp-admin/.htaccess file that password protects the /wp-admin directory. You then copied that same password protection over to just your main .htaccess file, so that it can also password protect your wp-login.php script directly as well.
/public_html/wp-admin/.htaccess
/public_html/.htaccess
<
p class=”cli” style=”width: 275px; float: left; white-space: nowrap; overflow: auto;”>ErrorDocument 401 “Denied”
ErrorDocument 403 “Denied”
Allow plugin access to admin-ajax.php around password protection
Order allow,deny
Allow from all
Satisfy any
AuthType Basic
AuthName “Secure Area”
AuthUserFile “/home/example/.htpasswds/public_html/wp-admin/passwd”
require valid-user
<
p class=”cli” style=”width: 300px; float: right; white-space: nowrap; overflow: auto;”>ErrorDocument 401 “Denied”
ErrorDocument 403 “Denied”
AuthType Basic
AuthName “Secure Area”
AuthUserFile “/home/example/.htpasswds/public_html/wp-admin/passwd”
require valid-user
Now if someone tries to directly login via wp-login.php they will be prompted for a valid user as well.
When a user enters invalid credentials are, they will get an Authorization Required error. They will then not be able to attempt to login to your WordPress admin directly.
You should now know how to requre a username and password before an attempt to directly login to WordPress is even allowed. This will help to protect your WordPress website from unauthroized login attempts.
Brother, I want to disable this pop-up login. How can I do this? Because I have woo commerce site.
when I login and logout it’s showing on browser top.
here’s the screenshot
https://ibb.co/q9swvZh
Hi,
Make sure the privacy code has been fully removed from the .htaccess file and that directory privacy is not enabled for that site.
Best Regards,
Alyssa K.
This “Resource” needs a Re-vamp. Well at least starting at about Step 17.
For some reason a little after that step, theres a code presumably to copy, but is being displayed on the page as:
And in small areas after that, it continues to show the site code.
Then, the “Code Review” section is all out of order. It looks like it was supposed to be set up as a side by side comparison of code for both the .htaccess files (in their respective locations), but it’s all bunched up on one side (not to mention more raw css mistakes).
Please update this article to clear up these issues for everyone looking for this help.
Thanks.
Hi, Jason — Thank you so much for your comment and discovery. We will update this article to ensure it remains a helpful resource for those who need it.
Thank you, Stormy.
Hi, thank you for this information.
Can you please write this code how to use IP?
Thank you
You should not be using Auth_basic it’s old and not secured at all. I use Ip address restrict in my host file to that directory; it’s better, more secure, etc
Did research and consulted with someone else, and have the problem solved.
The .htaccess is enacted sequentally from top to bottom. So, if you want a rule to enforce security BEFORE a re-write, then your code should be above the WordPress default entries.
… perhaps you could just tell me the best way to undo the 21 steps above … so that I can get my website operational again? Is there a way to reset the directories I’ve password protected, and remove all of the stuff from those 2 .htaccess files?
Followed the above directions religiously, and seemed to have great success. However a while later, I tried to go to my website with a different browser, ans it stopped me. It demanded the username/password. I wasn’t going to the wp-admin, I was going to public part of the website:
https://philippians123.org/
I’m afraid that no one will be able to access my site at all! I want to stop Brute Force logins … not set my entire site to password access only.
Please help me sort this out …
Appreciate your time and trouble.
What you describe is definitely not the desired outcome. It is possible that you set this security measure for the root of the site instead of only the /wp-admin directory. I advise going back to make sure this adjustment is made.
Great it’s worked fine for me.
Many thanks
I am running a blog in WordPress and I am facing problem in editing file
.htaccesswhenever I save any change it’s rejecting to save that data.Also, site is unreachable for some time can you guess what is going on.
Web Is techpur.com
Usually, if you cannot save changes to a file, it’s typically a permissions issue. I’d suggest reaching out to your hosting provider to see if they can check the file permissions. As for the site going down, we would need more information to help you troubleshoot that. Currently, your website is live and reachable via the browser.
This did not work for me, I followed every step, checked, double checked, triple checked. When this was live customers could not logout, they were directed to the Secure Area login.
I added this to htaccess:
RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^https://(.*)?rejuventskincare\.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ – [F]
BUT the Wordfence support told me that then the hackers just move to the /xmlrpc.php in so that need to be protected from direct use, so I added to “Immediately Block IPs that access these URLs”. Hopefully it will work as I am tired of all these people trying to login.
Hey John-Paul… you are right, it probably would be more complicated. Unless I used something like this htaccess :
It would be simple if I knew which page or pages were sending to wp-admin…
Honestly, the only question I have with the plug-in versions of security, is that if the original protection tripped the password, is there no chance of the plugins security to be tripped as well and have the same thing happen?
George, a plugin would likely already be updated for issues like this, as long as it’s well maintained. That would mean that it should not ‘trip’ this issue.
Hey thanks for getting back to me. I realized what was happening. When people checkout, they are essentially creating a low subscriber level user so there is a call made to the wp-admin folder.
Now I know that htaccess can allow and deny based on source/by IP address… is there any way to code the htaccess so that Woocommerce can access what it needs in the wp-admin folder in order to create a customer but no one else could without the protected username and password?
Thanks!
I spent some time looking for a solution, and could not find a working example. This means you would have to create/custom-code a solution. It would be much easier to use a security plugin to protect your site. Also, here is a helpful link to an official WooCommerce Security guide.
Thank you,
John-Paul
Hey.. I have a strange question. I did this same thing to my wp-admin folder and now all my woocommerce stuff is screwed up.
The cart won’t show up, the checkout login won’t happen and basically, the ecommerce is useless. How can I protect wp-admin and still use my ecommerce plugin?
Thanks for listening!
Since this custom code seems to be interfering with your WooCommerce cart, I recommend using a security plugin instead. This allows you to add the rule from the dashboard, and can reduce the chance of it interfering with your other plugins.
Thank you,
John-Paul
I made it to step15 and there is no .htaccess file in my wp-admin folder and I double checked that I have Show Hidden Files checked and saved as well. Can anyone advise?
If your
.htaccessfile is indeed missing, you can always create a new file and name it.htaccess. It will function the same way. But, I suggest you double-check to make sure you don’t have one already. Having two can cause unintended effects.Hi I have a large number of wp sites running on our account. Most are in a subfolder on the root directory. I am a newbie and would appreciate input. Can I place a .htaccess file on the root that will protect all the subfolders and thus access to the login pages?
Thank you for your assitance.
Hello Kim,
Thanks for the queation about your multiple WP installations. I would recommend setting up the .haccess file modification for each individual installation since each install has its own login to its corresponding WordPress Admin.
If you have any further questions or comments, please let us know.
Regards,
Arnel C.
I’ve implemented this but am still getting the WordPress Login Temporarily Disbaled Screen after entering the credentials. Have I missed something?
Hello Bonnie,
I’m sorry to hear you’re still getting the login disabled screen. Make you have cleared your browser cache and wait at least 15 minutes before attempting to login AFTER you added the code above. Did you make sure to put in the .htaccess code in the .htaccess file associated with your WordPress site? If so, and you still get the problem, I recommend contacting our live technical support department. They can review your entries and see what’s causing the login problem. They should be able to correct the issue as well.
If you have any further questions or comments, please let us know.
Regards,
Arnel C.
Thank you very helpfull post.
Hello,
In Step 14 (I reassured myself that Steps 1-13 were according your guidelines)
in location:public_html/htaccess
is the text below — Different than indicated :-((
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
Can you please help to correct it?
You need to add the content described in Step 14 to the file.
Thanks Edens! 🙂
Hello!
I don’t have an .htaccess file inside wp-admin, I’ve just the one in the root of the site 🙁
Hello Marco,
You can create a .htaccess file in the wp-admin/ folder as it should not harm anything.
Best Regards,
TJ Edens
Hi Arnel,
I contacted him telling him to check again as it wasn’t doing it for me and he discovered that the error was being caused by a plugin.
Sorry to bother you and thanks for taking the time to look into my issue. That’s why I love Inmotion hosting so much I guess 😉
The url is https://******blog.com/
I’ve since installed Firefox on my Mac and I can’t reproduce the issue?
Peter
I have a user who gets the following https://www.imjustsharing.com/WB001.jpg when visiting my blog. He tells me it only happens in Firefox and he has to click the X or cancel three times before he can get rid of it.
This could be an issue as there are probably a lot of people who use the Firefox browser.
Hello Peter,
Sorry for the problem. Can you tell us what exact URL is being hit by your user? It’s hard for us to determine what’s happening without knowing that URL. We can follow-up on it once we have that information.
Kindest regards,
Arnel C.
OK, even though everything seems to be working fine to me one of my users is getting the following error message when accessing my homepage with Firefox?
A username and password are being requested by https://wassupblog.com. The site says: “Secure Area”
Hello Peter,
I am not able to get the authentication request when visiting the site. But to be safe, be sure you have not set that directory to be password protected, as that would cause the behavior being reported.
Kindest Regards,
Scott M
That is located in the cPanel dashboard as opposed to the WordPress dashboard.
Under the Security section, click on Password Protect Directories.
There is no such option under the Security section on my dashboard.
OK, I found the problem, it was in the “Secure Area”AuthUserFile “/home/example/.htpasswds/public_html/wp-admin/passwd”require valid-user” I had to substitue /example/ for my home directory! Once I did that it all worked fine. I’m not sure if you stated that in your post, either way I missed it.
Sorry for the inconvenience.
Peter
Sorry, just needed to add the same happens with **************.com/wp-admin. When I supply the name and password it redirects me to the ezesportsbetting.com/bet365/ page instead of wp-login.php?
Peter
Hi Arnel,
thanks for the quick reply. The wp-admin part of it works fine but instead of directing me to wp-login.php it goes to https://**********.com/wp-login.php?redirect_to etc Oops! Nothing found page.
This is a real pain because it means I can’t login unless I remove that part of the code from my htacess?
Peter
Hi, my domain is wassupblog.com and I’m getting too many redirects when adding ErrorDocument 401 “Denied”
ErrorDocument 403 “Denied”
<FilesMatch “wp-login.php”>
AuthType Basic
AuthName “Secure Area”
AuthUserFile “/home/example/.htpasswds/public_html/wp-admin/passwd”
require valid-user
</FilesMatch>
Also trying to log into ezesportsbetting.com I keep getting directed to another page?
Any help would be appreciated.
Peter
Hello Peter,
Sorry for the problems with your website getting lots of re-directs. When I checked your log file, there is a history of the site getting hammered with a brute force attack, so it may be getting affected by that issue. The code provided above is used to prevent unauthorized WordPress login attempts. If you’re seeing the re-directs as a result of the code above, its purpose is mainly to prevent access. If you wish to prevent the re-directs, I would suggest trying a third party solution where the default WP code is different. For example, Clef 2 factor authentication, which uses a smart phone for easy login, and there are other options as well.
If you’re getting redirected on the ezesportsbetting.com page, you may need to double-check the .htaccess file to make sure there isn’t code there to re-direct. I was unable to duplicate the issue here. Can you provide a URL where the site repeatedly re-directs? If you are worried about malware that’s causing the issue, please submit a request to the live technical support department requesting a malware scan.
If you have any further questions or comments, please let us know.
Regards,
Arnel C.
Meaning in the dashboard, I can update WordPress without having to disable your password protected wp-admin?
Thanks
Hello Crystal,
Just to clarify, the updates for WordPress normally happen automatically and within the security provided by WordPress itself, as well as the security measures setup on the server. If you have any further questions or comments, please let us know.
Regards,
Arnel C.
Hi,
Can someone on your team try out updating wp core files without disabling your system and tell me what happens? Thanks
Hello Crystal,
We do not recommend updating or modifying any core files unless it is performed by the WordPress dashboard itself.
Best Regards,
TJ Edens
i got the dialog pop up but now i am getting error 404 help please
Hello Abhishek,
This should work fine. Have you successfully tested the password protection on a non WP folder?
Kindest Regards,
Scott M
Thanks. Really it solved my problem.
so i followed the instructions, and when I tried to login once, i was asked to enter a username and password as a result of steps 1-8. i entered the credentials once, and then logged out. now when i go to the wp-login screen, the prior login screen doesn’t come up anymore.
am i only supposed to login once or something? let me know if im not making any sense.
i then proceeded with the remaining steps and added the code to both htaccess files. again, when i acces the wp-login screen, i see the field to login to my wp site right away, as opposed to being asked to login to gain access to this page.
thanks for any help!!! i am currently under an attack by a bot as i am typing this!!! :/
Hello Derek,
Yes, once you log in you do not have to log in again for as long as that session stays. Normally when you close out your browser or restart your computer.
Kindest Regards,
Scott M
I have followed the steps correctly (or at least I think I have), but when I go to logon to my WP site, there is no prompt for the second password – I am able to log-in to my site with my WP password. What am I doing wrong?
There was some additional code in my public_Html/.htaccess file – should I have deleted that? I was not sure what it was, so I just left it and added the other code to the beginning of the file.
Sorry – I don’t have much experience with this and am not sure what I’m doing.
Hello Lisa,
Sorry for the problem with the code. We would need to see it in order to determine what’s happening. If you can provide the URL then we can take a quick look. By the way, I’ve been playing with a security plugin that works with smartphone called Clef. It’s a free solution that uses two-factor authentication and can also prevent the whole brute force issue. It may be an easier solution for you, if you don’t want to continue with the coding solution provided above. If you have users who require access to your site with a smartphone, then stick with the solution provided in this article.
I hope this helps to answer your question, please let us know if you require any further assistance.
Regards,
Arnel C.
The thorough instructions and screenshots were very helpful!
I have one question about editing the /public_html/.htaccess file. When I first opended the file to add the needed code provided in the instructions, there were already 3 lines of code relating to setting up a custom php.ini. Is it okay to leave these lines and just add the extra code below?
Hello Stacey,
Yes you may leave that code there or remove it as it is added by default when your account is setup.
Best Regards,
TJ Edens
Kazi,
I use ‘limit log in attempt’ on all of my sites and all of my client sites.
However, as InMotion points out:
Most brute force attacks rely on sending direct POST requests right to your wp-login.php script.
Requiring a POST request to have your domain as the referrer can help weed out bots. [This means you have to be on your site first to login. You can add the code below to your .htaccess file to add this security feature. Make sure to change your site name and com, net or org, etc (and notice the slash) where I have in red shown enteryoursitenamehere\.com ]
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^https://(.*)?enteryoursitenamehere\.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ – [F]
</IfModule>
Hello Tall Paul,
The limit login attempts plugin does help prevent the brute force attacks for when customers do not want to be restricted to either a referral method or IP based restriction. We had to make modifications to our Mod Security for customers not using anything like limit login attempts.
Best Regards,
TJ Edens
thanks for the information iam able to protect my wp-admin now.
i also want to protect wp-login page. iam using shared hosting and i have 3 add on domains. now how can i protect wp-login for all three add on domains from /public_html/.htaccess
Hello Pr,
The wp-login shouldn’t be directly referred to by WordPress login. If you’re using the wp-admin to get to the login page, then it should be protected (as per the above options). You may also want to consider using a plugin for security such as Clef. Clef is great as it skips using the traditional WP login and uses two-factor authentication before a user can login. This is one option, but bear in mind that it requires a smartphone in order to work.
If you have any further questions or comments, please let us know.
Regards,
Arnel C.
Far far too many steps.
Dont you employ programmers, couldn’t they write a script?
Vajra
Hello Vajra,
Thank you for contacting us. Unfortunately, since everyone’s site is different, the setup will not be the same.
Are you having trouble with a specific step?
Thank you,
John-Paul
That didn’t answer my question. Because I password protected the wp-admin, does it make it difficult to update wordpress’s core files? Do I have to take off the password protection temporarily in order to update?
Hello Crystal,
Yes, the password protection can cause issues when performing backups. I recommend disabling it prior to doing one and then you can re-enable it afterwards.
Kindest Regards,
Scott M
Hi,
I altered the htaccess to password protect the wp-admin page. Will updating my wordpress core be affected in anyway?
Thank you
Hello Crystal,
Thank you for your question. I definitely recommend performing a backup before proceeding with any major modifications, such as this.
If you have a standard WordPress site (meaning; it hasn’t been greatly modified with 3rd party plugins, or custom coding), it should be okay to update.
Some Plugins/Themes modify your .htaccess file, or have existing rules. So, there may be affects based on your specific site. Most issues can be resolved with Common WordPress Troubleshooting Techniques.
Thank you,
John-Paul
Thank you Arn, that worked great
I have multiple subdomains hosted on my shared hosting. When I follow the steps above, they work, but they require me to enter that same username/password when trying to access any of my site’s wp-admin pages, not just the main site. How can I make this affect only the one main site?
Hello Phil,
The easiest way to approach this issue is to remove the current lock on the public_html folder and add the lock to the wp-admin folder. This way, anytime you access the WordPress, the password pops up when you login to the admin. It would not affect the other subdomains under the public_html.
It should ONLY apply to the WordPress site running with its files under the PUBLIC_HTML folder. If you have domain folders BELOW the WP-ADMIN folder, then they will require the password to enter.
If your other hosted sites are in separate folders OUTSIDE of the WordPress files and folders, then they should not be affected by the password protected directories setting.
If you’re using the WP mult-site installation to manage multiple domains, you won’t be able to escape the password protection as the WP-Admin is operating from a SINGLE folder (that is password protected).
I hope this helps to answer your question, please let us know if you require any further assistance.
Regards,
Arnel C.
Gregg is right. Hitting escape does that, why is that not an issue? Also doing the 2nd step to protect the wp-login.php always returns an error. ( /public_html/.htaccess)
No matter what I do. Does that .htaccess have to be empty? Because wordpress autogenerates this code :
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
I read up about it and that’s for permalinks.
Putting this code in:
ErrorDocument 401 “Denied”
ErrorDocument 403 “Denied”
<FilesMatch “wp-login.php”>
AuthType Basic
AuthName “Secure Area”
AuthUserFile “/home/example/.htpasswds/public_html/wp-admin/passwd”
require valid-user
</FilesMatch>
Returns me an internal error 500 and everything is broken.
It blocks the wp-admin just fine, it’s the wp-login that doesn’t work.
Any ideas on what can be done?
Hello Crystal,
We would love to have the steps to duplicate the Escape trick. We have tested on various browsers in both private and regular modes and do not have that issue.
As for your questions, you can place the code at the top of the normal .htaccess file that contains the WP default code. This works fine. htaccess files are processed from top down, so be sure to put the code before the WP default code.
As to the 500 error you are getting, be sure the code you copied has your cPanel username in the path instead of’ /home/example‘
Kindest Regards,
Scott M
Thanks for publishing the informative blog. Really a helpful blog.
You’re welcome! Thanks for reading.
Good post. This website is very useful.
I am very thankful to you to share this site.
Glad you find it helpful. Thanks for reading.
Thanks for sharing it which is helpful. keep it up…
Glad to help. For additional help, check out our WordPress Education Channel
thanku for writing this article and your information is very useful to us.
You’re welcome. If you are looking for more WordPress resources, check out our WordPress Education Channel.
its really helpful for improvising my skill in writing blog. such detailed information. thank you for posting it.
We’re happy to hear you found this helpful. Thank for reading.
Thank a lot for sharing this awesome blog i am beginner content writer i also have my own blog this really helps me a lot …keep posting.
Thanks for reading and taking the time to comment!
Such a sharing for good information and its helpful for me.
Thank-you
We’re glad this information was helpful. Thank you for reading and commenting.
Hi. How about using the ‘limit log in attempt’ plugin for WordPress ? Won’t it solve the problem? I use it in several of my websites .
Hello Kazi,
Yes, that is also another option. I use that plugin for my own sites as well and have had no issues.
Kindest Regards,
Scott M
This guide and the other guides located on this site…. are brilliant! I take my hat off to you Inmotion team, well done. You are all very helpful. 😀
Hey, Nice to see your article
It’s pretty Good.. I give you 9/10
The second part code is now not required after wordpress update to 4.01 as automatically the part wp admin code applied to wplogin.
Hello Mohan,
Thank you for that update. After test to make sure this is correct for documentation purposes, we will update the article.
Best Regards,
TJ Edens
Sometimes WordPress seems to me to have been designed to be insecure from the architectural level. The fact that there is not a clear partition between admin and site is just astonishing. With the admin login script wp-login.php existing in the site root and front of site plugins needing access to admin-ajax.php the ‘secure’ wp-admin folder.
There are plugins which allow login to WordPress via ajax, these make use of admin-ajax.php, so if you happen to have one of these plugins and allow access to admin-ajax.php through .htpasswd, then you are back to square one and the hackers can start to brute force you again!
Pressing escape key on login screen when trying direct wp-login.php, automatically takes you to WordPress login page with stripped ajax and graphics but still can be used to login. This can be easily built in a bot to pass on escape parameter.
So, failed my penetration testing.
Hmmm…
Hello Gregg,
If you are properly doing the steps in the options of the article above, you are preventing access BEFORE the URL is accessed, which means that the option to have a bot pass on the escape parameter wouldn’t matter. We politely disagree with you. In my tests, with the directory properly protected in cPanel, you get a warning screen saying Authorization required if you click on the escape key.
If you have any further questions or comments, please let us know.
Regards,
Arnel C.
Awesome tips Secured my 1000+ sites. The people saying that they couldn’t deploy this EASY, SIMPLE SOLITIONS should NOT be in control of wedsites. No wonder the world is getting hacked.
I followed step-by-step all your instructions for securing wp-admin directory and wp-login.php and implemented the ajax fix but the login prompt persists on every page of my website including the homepage. Could you please help me?!
Hello PatriciaV,
Sorry to hear that you’re having problems with the WordPress login. Unfortunately, you have given us no information about your account, so even if we wanted to help you we cannot do so at this point because we can’t take a look at your current efforts to see to what’s happening. Please provide us at least a domain name. If you are a customer, then a user name would also help. Also, if you can describe the exact steps you have taken when you attempted to make the changes above, we would be able to review the problem thoroughly and most likely identify the problem.
If you were previously getting blocked by the mod sec rule and you made the changes, you would still need to allow for at least 15 minutes to expire before you can try logging in again. Also, you should make sure that your browser cache has been cleared before attempting to login.
I hope this helps to answer your question, please let us know if you require any further assistance.
Regards,
Arnel C.
Secured my WP based site by reading your instructions, Thanks Jacob Nicholson
In the past, I tried password protecting the wp-admin folder because of your recommendations. While it works on some of my sites, it always breaks the WP admin (get 404). Before, if I removed the password protect through the cpanel, everything would be fine. Well, thought I’d try this again because I am getting a good number of attempted logins, but THIS TIME, not only can I not access the admin of WP (get 404 on all admin pages) even AFTER I removed the password protect on the wp-admin folder. Tried clearing all cache/cookies, restarting computer…nothing has helped.
Question #1 — how do I fix my site and be able to access the admin side of the site??
Question #2 — assuming I am idiotic enough to try password protecting the wp-admin directory again, how do I avoid/fix the 404 error issue???
Thanks!
Hello chuckz,
Thank you for your question. We are happy to help, but will need some additional information. When you edit the .htaccess file, are you keeping the basic WordPress rules in place? If not, adding the back may help.
Alternately, there maybe a Plugin/Addon affecting the .htaccess rule. You can test this by disabling them one by one, until the site breaks, to determine what is causing the trouble.
Thank you,
John-Paul
Hello, is there a code that prevent hacker to add a php.file in theme folder and modifying footer.php etc???or give a password when everyone access theme folder in cpanel??
Hello Dodee,
If someone is adding files to your folders and modifying them, they are not likely in the WP admin area, but in your hosting account itself. You will want to check out our article on Website Security to help prevent this type of intrusion.
Kindest Regards,
Scott M
Tq for your fast respons, i installed already the plugin…hope this really work…thanks..
How about protecting my wp-content and my theme folder???is this recommended by this way???the plugin that you recommend doesnt update for two years…
Hello Dodee,
The plugin has not been updated but it still works very well. To help protect your wp-content folder I would recommend a plugin called Bulletproof Security, it provides .htaccess scripting that helps protect those areas of your account.
Kindest Regards,
TJ Edens
Yeah…Finally i got it…just replace all the code given…here my web
https://bappeda.bireuenkab.go.id…is this save if i block all folders???my web hacked few days ago and no way to restore the backup, hacker inject footer.php and header.php, and there is a wpml.php (new file in theme folder)…finally i reinstalled everything…now still under maintenance….i just want to make sure that this worked
Hello Dodee,
I would not recommend blocking your folders as that will cause some issues within wordpress itself. There are many wordpress security plugins that you can install to help prevent hackers from gaining access to your dashboard. I would recommend a plugin similar to Limit Login Attempts.
Kindest Regards,
TJ Edens
i didnt got this message “You may encounter a re-direct loop at this point. If so, please ensure you’ve created the error documents mentioned earlier”, i just go to wp-login and just like usual…nothing happend….but this “AuthName “Secure Area” there was a name that i wrote before in protect wp-admin…is it right, so i remove “Secure Area” and replace with that name…
Hello Dodee,
You should only have to do that section if you are getting redirect loop errors from your browser. Can you provide your domain so we may look into the coding changes you have made thus far.
Kindest Regards,
TJ Edens
I followed the instructions in this article and now all of the links on my websote are not funtional.
The following error appears when I try to access any of the tabs in the homepage:
Error 404 – Not Found
The document you are looking for may have been removed or re-named. Please contact the web site owner for further assistance.
Hello Mser,
Sorry to hear that you’re seeing Error 404 on your webpages. Can you please provide us information about you website? If you have an account with InMotion, we can look and see what you’ve done. We need a little more information in order to determine why you’re having the problem.
Please provide with more information about the changes that you have made within your website and we would be happy to investigate it further.
Regards,
Arnel C.
Ok, it finally works! Thankyou!
Hi Jeff,
When logging into acondomgt.com/wp-admin I get: To view this page, you must log in to area “A-xxxxxxxxxxx-a” on acondomgt.com:80. After I input the name: xxxxxxxxx; password: xxxxxxxx, the worpress login page will not come up in either Safari or Chrome due to redirects. That’s the reason I can’t log into the site.
Here is cPanel info: user: xxxxx5; passwrd: xxxxxxxxxxx
Any help you can provide would be greatly appreciated.
God bless
(all login information has been removed)
Hello CK,
Sorry to hear that you’re still having a problem with the login. The issue had to do with your acondomgt.com’s .htaccess file. I have made a backup of your original file and saved it as htaccess-backup. When I removed the non-standard part of the .htaccess and left what’s normally the default entry for a WordPress site, the login page works with no problem. I’m not sure if you’re using a plugin that requires those other entries, but they are the cause of your re-direct problem. You will need to sort through those entries and decide what you want to keep or remove.
I hope this resolves the problem for you. Sorry, it took a bit to find the cause. Please let us know if you have any further questions or comments.
Regards,
Arnel C.
Yes, sorry it’s acondomgt.com.
Currently, I’m simply seeing the password insertion screen and not any other issues. If you’re not seeing that, I recommend clearing your browser cache.
If it happens after the password entry, could you provide me with your cPanel username and user/password for your protected location so that I can replicate it? All anonymous comments on this article are unapproved so only I will be able to see it.
I’m am not getting redirected to cPanel. When I try to log in toacondomgt.com/wp-admin, I get a reply “the webpage has a redirect loop” and it will not let me in. Prior to my last message, and your reply, I removed the information in .htaccess files because it didn’t work. If you’re wondering what I did originally read the the instructions above – I followed them exactly and double checked them. I do not understand how you are able to log into the site. Can you please explain?
I do not have any problems logging into Cpanel. Can you guys please help fix this mess?
It appears that the domain you referred to, toacondomgt.com, does not exist. Did you make a typo?
These were in the .htaccess file just as shown above – it didn’t work. Further, when we changed the .htaccess file in the public_html root directory as instructed we were locked out of all sites. We tried changing the .htacces files back and can’t log into the original site acondomgt.com now because of redirects. What a mess!
Hello CK,
I’m sorry you’re having problems with the login. You shouldn’t be getting redirected to get to the cPanel, but if that’s the case, you can always use the temporary URL (e.g. serverXX.inmotionhosting.com/cpanel). I actually tried it, and it did not re-direct me. I also checked your current .htaccess file and the code (that’s in red – in the instructions within the article) was not in place. I have added it. There’s currently nothing in the .htaccess file that is saved in the root of public_html folder. I also did try get into the wp-admin for acondomgt.com and the password is working the way it’s supposed to be working.
If you continue to have problems, please let me know exactly what you’re doing in the process of encountering the problem, so that I can follow your login/usage process. Sorry again for the confusion. I hope this helps to clarify the issue.
Kindest regards,
Arnel C.
I just followed these instructions and changed the .htaccess files as explained. Now, I can’t log into my site because redirects. The article says “If you get a redirect loop, make sure you have these ErrorDocument tags in your .htaccess file: ErrorDocument 401 “Denied” ErrorDocument 403 “Denied”, but doesn’t explain how to do this. I can’t find it in inmotion help. Can you please provide some assistance?
Hello CK,
Sorry to hear that you’re having problems. The instructions above that the following tags need to be in your .htaccess file:
ErrorDocument 401 “Denied”
ErrorDocument 403 “Denied”
Like the rest of these instructions, you were editing the .htaccess file in order to add this code. If you were not doing this, then you were not adding the code to the correct location. If you follow the code listed in red above, then the error codes are in place.
If you continue to have the problem, please provide us a domain name so that we can take a look at the account.
Kindest regards,
Arnel C.
Jacob,
Thanks for your reply. I have followed your instructions up through Step 11. From Step 12 on appears to apply to sites where WP is the main page of the site. In our case, our main site is in HTML with a link to our WP pages. So I left /public.html/.htaccess alone otherwise I think I would crash my main site. So did I do this correctly and if so, you might consider creating a new document for folks like us who use WP for blogging but not as our main website.
Winston
Hello Winston,
If you have WordPress simply installed in your website root in /public_html then adding the password protection code to your /public_html/.htaccess file is fine. It only sets up password protection on the wp-login.php script and wouldn’t interfere with anything else on your site.
If you have WordPress installed in a sub-directory such as /blog then you would simply place the code in your /public_html/blog/.htaccess file.
Essentially wherever your WordPress /wp-admin directory is, just go up one directory from that and copy over the code into a .htaccess file there. That way both the /wp-admin directory, as well as the script wp-login.php are both password protected.
Please let us know if you had any other questions.
– Jacob
Thanks for the explanation. Perhaps a comment that points out there are 2 instances of .htaccess might help readers decipher the process.
Hello Phil,
Thanks a lot for the suggestion, I’m always looking for feedback to make these articles as helpful as possible to the largest audience possible so that is very valuable info to have!
Thanks again, I’ll go ahead and update the article now!
– Jacob
Hello Winston,
Thanks for the suggestion, I’ve gone ahead and update step 12 in this guide to try to make it more clear that you are working with two .htaccess files.
Please let me know if you had any other ideas!
– Jacob
There is something critical missing in this article. It is not clear in Step 12 if you are suggesting that a 2nd .htaccess file be opened and edited. If that IS the case, then the content of the 2nd file located in public-html directory does not look anything like your image. You never indicated that I save the first file before switching to the 2nd file. I am a web developer not a programmer and certainly not clairvoyant. It is quite frustrating.
Hello Glenda, and thanks for your comment,
I’m always looking for feedback to ensure my guides are clear, so thank you for pointing out that this guide might need to be updated to reflect that.
On Step 12 above and Step 11 leading up to it, you are basically opening this file that the password protection you setup in all the previous steps created:
/public_html/wp-admin/.htaccess
Then as Step 12 goes on to talk about:
Copy all the code in the .htaccess file.
So you should end up with just the text in white copied, then you want to add the red code starting with ErrorDocument 401 to the top of that file and save it.
Then as Step 13 and Step 14 go on to talk about, you want to edit this file, one directory up from your /wp-admin directory:
/public_html/.htaccess
Then you paste the /public_html/wp-admin/.htaccess code you copied from that file into the /public_html/.htaccess one wrapped in <FilesMatch> tags as mentioned in Step 14.
So again, the code from Step 12 goes in /public_html/wp-admin/.htaccess
The code from Step 14 goes in /public_html/.htaccess
I hope that makes a bit more sense. I’ll look at overhauling this article today to hopefully come up with a clearer way of demonstrating what needs to take place. Possibly a video for this guide would be easier to follow, as it is a lot of steps and I see how you could get lost not working with this kind of stuff often.
If you have any specific recommendations on what might make it stand out and be a bit more obvious, please let me know!
Thanks again for your input, and sorry for the frustration!
– Jacob
Fantastic. even a can break any website person like me can follow. The only thing I would do for people like me who are following each word is to put in Step 12 a note to save the wp-admin .htaccess before going to the public one.
I am double checking everything and not touching anything you don’t tell me to touch because I easily blow up the website when I try this stuff.
Hi Jacob,
I set up a password protected WP login according to the description above about two months ago, and it was working fine. When I tried to log into my wordpress today, however, I got the secondary password pop up window, but after I entered the password, I only got an white screen with the word “Denied” rather than my regular WP login. At first I thought that I had entered the wrong password, so I went to my login URL again, but instead of the popup, I now only got the “Denied” screen right away. I tried clearing the cache and all cookies, but it’s still the same. When I tried accessing the login-link via my smartphone, I got the pop-up window, but when I entered the password this time (and this time it was definitely correct), I again got the “Denied” message.
Do you have any idea what is causing this? I have completely lost my WP login as it seems and needless to say, it’s making me quite nervous.
I am using Safari on both my computer and my phone.
Thanks a lot in advance for your help!
Best,
Christine
Hello Christine,
It looks like along with the secondary password WordPress protection, you also decided to limit WordPress admin access by IP address and I’m guessing your IP address changed which is why you were still getting the denied message.
You should just find this code in your .htaccess file:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteRule ^(.*)$ – [R=403,L]
</IfModule>
Change the 123\.123\.123\.123 IP address to your new IP address after you find out what my IP address is.
Hope that helps, please let us know if you’re still having any issues.
– Jacob
I implemented the password protection as per the instructions but now the password login is required for all pages on my website:
https://www.orcaspets.org
What did I do wrong?
Martin
Hello Martin,
Where you sure to allow admin-ajax.php requests to bypass password protection?
# Allow plugin access to admin-ajax.php around password protection
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>
If that’s not your problem, are you sure that you just password protected your wp-admin directory and just the wp-login.php file and not your entire /public_html directory by accident?
Please let us know.
– Jacob
Hi,
I just test, I disabled all password protection and then I just enabled protection of the wp-admin dir and all site accesses require a login/password.
Martin
Hi,
I have wordpress theme and when i trying to open wp-admin page then it automatically navigate to cpanel. i already take a look in wp-config file. but there are all well.
This system is working properly in local machine. but when i upload it in server then it will navigate to cpanel automatically.
So can any one have idea that how to solve it?
Thanks
Hello naimish,
Thank you for your question. We are happy to help, but will need some additional information. Can you provide a link to the site having the problem?
Have you tried renaming your .htaccess file, for example to: .htaccess.old
Then refresh your website and test it again. If it loads, most likely a rule within your .htaccess file is causing the problem.
Do you have any redirects setup in cPanel?
If you have any further questions, feel free to post them below.
Thank you,
-John-Paul
Hi
This is a very useful security enhancement so thank you very much indeed. Alas, I appear to have made a mistake which I’d be very grateful for help in rectifying.
With ref to your instructions, I would appear to have actioned Steps 4 – 7 TWICE.
The effect of this is that I now have to enter the username & password TWICE on the authenication required screen whilst attempting to login into administration on my site. (using the same user name & password TWICE).
The second more serious effect is that the authenication screen appears when accessing the site normally (ie I type the domain name kernowdirectmarketing.co.uk into my browser). It clears once the user name & password is entered ONCE but I really don’t don’t this to appear for my site visitors.
How do I fix this ? (ie remove the duplicated password protection ?) Is it simply a case of removing the code I copied into the two htaccess files and starting again ?
As I’m not entirely sure what I’m doing, I don’t want to experiment here for fear of dire consequences.
Thanking you in anticipation and apologies for my stupidity
With regards
Kevin
If you did this multiple times, simply remove the second entry. You could also remove it in its entirety and start again if you prefer to do so.
HI Jacob,
thanks for the great article! really appreciate it. I am using optimizepress theme and I can’t do step 14. the htacess php file does not have …filesmatch… tag.
What should i do? thank you. the php access file is as follows
# BEGIN optimizeMember GZIP exclusions
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (^|\?|&)optimizemember_file_download\=.+
RewriteRule .* – [E=no-gzip:1]
</IfModule>
# END optimizeMember GZIP exclusions
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
Hello oxygn,
You will simply need to add the FilesMatch tags as well.
Kindest Regards,
Scott M
Isn’t it easier to use htaccess and htpasswd to protect login page ?
Hello Jarek,
Thank you for contacting us. While this is an easy method to use, it depends on your skill level.
Following this guide will help you setup the “htaccess and htpasswd” protection on your WordPress site.
If you have any further questions, feel free to post them below.
Thank you,
-John-Paul
Hi,
Thanks for your helpful post, but i still get re-direct loop.
Plz help me
Thanks samuel,
Glad we were able to assist you!
If you have any further questions, feel free to post them below.
Thank you,
-John-Paul
Hello Tuan,
The redirect loop error is explained in this section of the guide.
If you are still having problems after following the guide, we are happy to help, but please provide more details, such as any 3rd party plugins you are using.
If you have any further questions, feel free to post them below.
Thank you,
-John-Paul
dude i tried so many ways and finnally yours is wordking !! thank you so much !! 🙂
Hey, such a great article!
Just I’ve faced with a small problem and I hope somebody help me to solve it. After I applied all the above instruction, everything works fine but I’m getting this authentication in the homepage too! when cancel, website will come up but at the first, the username& pass box is appearing..
what should I do with it?
Thanks,
Hey Shahrooz, and thanks for your comment!
If you’ve followed the steps in this article and you’re getting the password prompt when just accessing your main site. This is typically an indication of a WordPress plugin trying to still access something in your /wp-admin directory, or your wp-login.php script directly.
Were you sure to copy the bit of the .htaccess code towards the top that allowed access to the /wp-admin/admin-ajax.php script that some plugins still need?
If you do have that, and you’re still having this problem, it would be something I haven’t encountered before so would have to take a closer look for you.
You might have noticed when you first post a comment here it doesn’t go live, this is because we first have to approve it for the public. So if you’d like to respond with your domain name you’re having these issues on, I can go ahead and take a look for you, then remove your domain for privacy before approving the comment for the public and responding to you.
Please let us know if you had any other questions at all!
– Jacob
I have done everything the instructions say, this is the second time I have had to protect myself from the brute force attact. I have a problem, I am using Word Press and when I get to step 14 I already have code from the first hack fix:
# To set your custom php.ini, add the following line to this file: # suphp_configpath /home/yourusername/path/to/php.ini # BEGIN WordPress <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] </IfModule> # END WordPressSo I don’t have any <File Match> words to place my code. What do I need to add to my wp-admin .htaccess file to get this solution fixed please sir? I haven’t been able to login all night? I am temporarly disabled not just blocked for 15-20 minutes!!!???
Hello Andrea, sorry for the issues.
It looks like not all of the steps from this guide were followed on your account and that’s why our internal security rules unfortunately blocked your access again.
As mentioned in Step 12:
Copy all the code in the .htaccess file.
While you still have the /wp-admin/.htaccess file open, also go ahead and add the code in red:
ErrorDocument 401 “Denied”
ErrorDocument 403 “Denied”
# Allow plugin access to admin-ajax.php around password protection
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>
AuthType Basic
AuthName “Secure Area”
AuthUserFile “/home/example/.htpasswds/public_html/wp-admin/passwd”
require valid-user
Then Step 13 tells you to get to your /public_html/.htaccess file and Step 14 explains:
Now paste the .htaccess code you copied, in-between some <FilesMatch> tags, so that it ends up looking like this:
ErrorDocument 401 “Denied”
ErrorDocument 403 “Denied”
<FilesMatch “wp-login.php”>
AuthType Basic
AuthName “Secure Area”
AuthUserFile “/home/example/.htpasswds/public_html/wp-admin/passwd”
require valid-user
</FilesMatch>
Then click on Save Changes up at the top-right.
You have to actually create the <FilesMatch “wp-login.php”> lines yourself and just paste in the code you got from the /wp-admin/.htaccess file after creating the password protected directory.
I went ahead and followed these steps for you. Please let us know if you continue to have any issues.
– Jacob
i’ve followed the intstuctions and am still getting “WordPress Login Temporarily Disabled page
Hello Chris,
Be sure you have cleared your browser cache. Also, if you had the block prior to implementing the instructions above, the lockout will continue until it is done. From there you should be fine. The instructions will work, so if you get re-blocked you will want to go through again to ensure all steps are implemented.
Kindest Regards,
Scott M