In this article, I’ll show you how to lock down and password protect your WordPress website. We’ll do this by limiting access to the /wp-admin directory and the wp-login.php script. Using these methods you will be able to help prevent unauthorized WordPress Administrator login attempts.
Looking for a secure WordPress host? Look no further than InMotion’s WordPress hosting solutions!
Password Protect WordPress Logins
Using the steps below, I’ll show you how to create password protection for your /wp-admin directory. We’ll also copy those rules over to protect your wp-login.php script to keep WordPress as safe as possible.
Setting Privacy on the wp-admin Folder
You will first need to use the cPanel to password protect directories in your account. This process will allow you to create authorized users who can access your WordPress Administrator dashboard.
- Log into cPanel.
- Go to the Files section and click on Directory Privacy.
- Click the Settings button.
- Click on the text, not the folder icon, for your wp-admin directory.
- Check Password protect this directory, give it a name, then click Save.
- Now click on Go Back.
- Under the Create User section, input a user name and then click on the Password Generator. Make sure that you record any password that you create.
- You will be required to type the password twice. When you’re done make sure that you click on the Save button.
Note that your user is then added to an Authorized user section. You can add more than one user. Carefully consider the users that will need to access the directory before adding multiple users. Always make sure that each user is using a strong password.
- Once you have your users set, click on the checkbox that is labeled Password protect this directory located above the Create User section.
This will immediately protect the directory access from any random user. Only users that you have added as authorized users can access the directory provided that they know the password.
If you get a redirect loop, make sure you have these ErrorDocument tags in your .htaccess file:
ErrorDocument 401 “Denied”
ErrorDocument 403 “Denied”
Please also make sure to allow /wp-admin/admin-ajax.php requests without password protection.
At this point, if you try to access the WordPress Administrator dashboard you will see the following:
You will need to use the authorized user and password you created to proceed beyond this point. The password applies when access to the wp-admin directory is attempted.
Once you have entered the authorized user name and password, then the normal WordPress login will appear.
- Now go back to cPanel and go into the File Manager.
- Click the Settings button.
- Then select the Document Root for your domain, and check Show Hidden Files (dotfiles). Finally, click Save. Note that for InMotion Hosting accounts, the default document root is typically, “public_html.”
- Expand the document root so that you see all of the files and folders underneath it. Find the wp-admin folder and select it.
- Select the .htaccess file and copy its contents.
- Next, go to the file manager and select the document root folder for your site. Find and open the .htaccess file. Yes, there are multiple .htaccess files. This one applies to all the directories under your document root.
- Paste in the code you copied from the .htaccess file in the wp-admin folder. The code should look like this:
AuthType Basic
AuthName "Secure Area"
AuthUserFile "/home/example/.htpasswds/root-directory/wp-admin/passwd"
require valid-user
Note: “root-directory” should be the directory where you installed WordPress.
- Additionally, add this code at the top of your .htaccess file:
ErrorDocument 401 "Denied"
ErrorDocument 403 "Denied"
<filesmatch "wp-login.php"="">
AuthType Basic
AuthName "Secure Area"
AuthUserFile "/home/example/.htpasswds/public_html/wp-admin/passwd"
require valid-user
- Save your changes!
Allow Plugin Access to admin-ajax.php Around Password Protection
Next, we’re going to add a little more code to your .htaccess files so that it allows Ajax so that you don’t have to type in the password every time a plugin tries to access the WordPress application.
- As before, open up your .htaccess file. This will be the .htaccess file in your document root folder.
- Add the following code:
<files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</files>
- Make sure to save your changes.
- Once you’re done you’re going to repeat the same process but for the .htaccess file within your wp-admin folder.
Code Review
You should now have the /wp-admin/.htaccess file that password protects the /wp-admin directory. You then copied that same password protection over to just your main .htaccess file, so that it can also password protect your wp-login.php script directly as well. The code also includes the error codes and the code to allow plugins to access admin through ajax.
Just to be clear, the code you added to your .htaccess files should look like this:
ErrorDocument 401 “Denied”
ErrorDocument 403 “Denied”
<FilesMatch “wp-login.php”=””>
AuthType Basic
AuthName “Secure Area”
AuthUserFile “/home/example/.htpasswds/public_html/wp-admin/passwd”
require valid-user
</FilesMatch>
AuthType Basic
AuthName “Secure Area”
AuthUserFile “/home/example/.htpasswds/root-directory/wp-admin/passwd”
require valid-user
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>
Congratulations! You can now prevent access to your WP-Admin to help against unauthorized users. To learn more about WordPress check out our WordPress Education Channel.