Beginner's Guide for WordPress - Start your WordPress Blog in minutes.
Choosing the Best
WordPress Hosting
How to Easily
Install WordPress
WordPress Plugins
View all Guides

How to Password Protect Your WordPress Admin (wp-admin) Directory

Last updated on by
Special WordPress Hosting offer for WPBeginner Readers
How to Password Protect Your WordPress Admin (wp-admin) Directory

As you read the title, you are probably wondering isn’t the wp-admin directory already password protected. You are required to login right. Well that is true, but to add an additional layer of security popular sites often add an extra layer of authentication. Few days ago, we started seeing some suspicious activity on WPBeginner, so our host HostGator advised us to password protect our WordPress admin directory. Apparently popular sites like Mashable do the same. In this article, we will show you a step by step guide on how to password protect your WordPress admin (wp-admin) directory.

To keep things easy and simple, we will only cover cPanel web hosting companies here just because cPanel has an easy enough interface to add password protected directories.

Login to your cPanel. Scroll down till you see the Security Tab. Click on the “Password Protect Directories” icon.

Password Protect Directories

When you click on that, a lightbox popup will show up asking for directory location. Just click on web root. Once you are there, navigate to the folder where your WordPress is hosted. Then click on the /wp-admin/ folder. You will see a screen like this:

Security Settings for a Folder

Simply check the box to password protect the directory. Then create a user for the directory. That is it. Now when you try to access your wp-admin directory, you should see an authentication required box like this:

Authentication Required

Manual Method

First create a .htpasswds file. You can do so easily by using this generator. Upload this file outside your /public_html/ directory. A good path would be:


Then, create a .htaccess file and upload it in /wp-admin/ directory. Then add the following codes in there:

AuthName "Admins Only"
AuthUserFile /home/yourdirectory/.htpasswds/public_html/wp-admin/passwd
AuthGroupFile /dev/null
AuthType basic
require user putyourusernamehere

You must update your username in there. Also don’t forget to update the AuthUserFile location path.

I have a 404 Error or a Too many redirects error

Well this can happen depending on how your server is configured. To fix this issue, open your main WordPress .htaccess file and add the following code there before the WordPress rules start.

ErrorDocument 401 default

Well there you have it. Now you have double authentication for your WordPress admin area. This is a good alternative to limiting wp-admin access by IP address.

Update: Here is how to fix the Admin Ajax Issue

If you password protect your WordPress Admin directory, then it will break the Ajax functionality in the front-end (if it is being used). In our case, we don’t have any plugins that is using ajax in the front-end. But if you do, then here is how you fix that issue.

Open the .htaccess file located in your /wp-admin/ folder (This is NOT the main .htaccess file that we edited above).

In the wp-admin .htaccess file, paste the following code:

<Files admin-ajax.php>
    Order allow,deny
    Allow from all
    Satisfy any 

Source: Sivel

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi. Page maintained by Syed Balkhi.

WPBeginner's Video Icon
Our HD-Quality tutorial videos for WordPress Beginners will teach you how to use WordPress to create and manage your own website in about an hour. Get started now »


  1. paras arora says:

    sir actually i have changed my admin directory from to …how to password protect it now

  2. Clecio says:

    Thank you !

  3. Sarah says:

    Thanks for this valuable info.I have question I want to setup limit login Attempts if users fails 1st time then try after 24 hrs latter how to I make this on cpanel?

  4. RJ says:

    Hi there I do password protect my wp-admin directory and I did add that code to my htaccess …but…it is still asking for authorization.

    Any suggestions?

  5. Sacha says:

    Thanks for the tip! :)

  6. dipesh says:

    i dont ve set password for wp-admin folder but still it shows authorization dialog .
    how to solve the issue,

  7. Fabio says:

    Hello, after the first login in wp-admin I got 500 “Internal Server Error”…


    • Fabio says:

      Solved, the problem was in server configuration

      • Gaurav Agrawal says:

        Hi, I am also facing the same problem. May I know what are the changes that have to be done in server configuration?

        Please let me know as soon as possible.

  8. Cjay says:

    I recently added password protected my “wp-admin” directory and my “wp-includes” directory. Now each time i try to access my “wp-admin” page with it’s username and password that i created i get to dialogue box popping up for me to enter the username and password for that of the “wp-includes” directory before signing in to the main wordpress admin page.

    Have you encountered such issue with wordpress before?

  9. Lissa says:

    Thanx so much for this! After an extended break from blogging I installed a new blog today and as soon as I password protected the admin directory I got the redirect error. This fix worked flawlessly :)

  10. abey says:

    After setting this security. Server always ask for password with a popup even in a user visit the site home page. Is there any way to overcome this.

    • Abhimanyu says:

      This gets resolved once you add the htaccess entry for admin-ajax.php. Follow the tutorial section towards the end.

  11. Mariah Zuzuvecha says:

    You saved me a lot of time .
    I was looking arrange the problem and you post save me !
    thanks again ¡

  12. ece says:

    There is no htaccess file in my wp-admin folder! There is only one in var/www
    How do I fix the Ajax problem?

  13. Ricardo says:

    It’s a good method but the problem is that regular users can’t recover their password if they click on “Lost your password?” link (/wp-login.php?action=lostpassword).

    How could I prevent that?

  14. Daniel Papenfuß says:

    Hey Bro,

    your hint for the ajax file helped me a lot – thx for that :)


  15. ajakayetolu says:

    I recently install wordpress but mydomain/wp-admin/ keeps asking for username and password despite inputing the correct password and username its just as if it is refreshing itself.

  16. 【Ƿ】 Fran Kee says:

    Good Tutorial. While admin-ajax.php might need extra enabling,
    there is one file on one level up (WP root level), that imho deserves extra disabling:

    require user

    Unless you truly have a blog where regular readers obtain WP accounts for commenting or such, this is not necessary. Extra-htpasswd-protecting this makes brute-forcing of WP accounts harder…

  17. Jeff says:

    Thanks! You just saved me a lot of time with that AJAX fix. I was looking everywhere and couldn’t figure out the problem!

  18. dylanatstrumble says:


    I have tried putting the ErrorDocument 401 default in many places in the main .htaccess file to no avail

    I am running W3 Total Cache and the first chunk of the code relates to that

    I have put it before the W3 code which results in a 500, I have tried putting it after the W3 code # END W3TC just before the # BEGIN WordPress

    I get a 500 there as well

    If only this would work, I would be a happy camper

    Hosted by Go Daddy and creating the protected folder via CPanel

    I am putting off calling Go Daddy for the fourth time. as on this particular issue, they have not been at their best

    Thanks in advance

  19. WPBeginner Staff says:

    Are you certain that you are entering the correct username and password?

Add a Comment

We're glad you have chosen to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and all links are nofollow. Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.