As you read the title, you are probably wondering isn’t the wp-admin directory already password protected. You are required to login right. Well that is true, but to add an additional layer of security popular sites often add an extra layer of authentication. Few days ago, we started seeing some suspicious activity on WPBeginner, so our host HostGator advised us to password protect our WordPress admin directory. Apparently popular sites like Mashable do the same. In this article, we will show you a step by step guide on how to password protect your WordPress admin (wp-admin) directory.
To keep things easy and simple, we will only cover cPanel web hosting companies here just because cPanel has an easy enough interface to add password protected directories.
Login to your cPanel. Scroll down till you see the Security Tab. Click on the “Password Protect Directories” icon.
When you click on that, a lightbox popup will show up asking for directory location. Just click on web root. Once you are there, navigate to the folder where your WordPress is hosted. Then click on the /wp-admin/ folder. You will see a screen like this:
Simply check the box to password protect the directory. Then create a user for the directory. That is it. Now when you try to access your wp-admin directory, you should see an authentication required box like this:
Manual Method
First create a .htpasswds file. You can do so easily by using this generator. Upload this file outside your /public_html/ directory. A good path would be:
home/user/.htpasswds/public_html/wp-admin/passwd/
Then, create a .htaccess file and upload it in /wp-admin/ directory. Then add the following codes in there:
AuthName "Admins Only" AuthUserFile /home/yourdirectory/.htpasswds/public_html/wp-admin/passwd AuthGroupFile /dev/null AuthType basic require user putyourusernamehere
You must update your username in there. Also don’t forget to update the AuthUserFile location path.
I have a 404 Error or a Too many redirects error
Well this can happen depending on how your server is configured. To fix this issue, open your main WordPress .htaccess file and add the following code there before the WordPress rules start.
ErrorDocument 401 default
Well there you have it. Now you have double authentication for your WordPress admin area. This is a good alternative to limiting wp-admin access by IP address.
Update: Here is how to fix the Admin Ajax Issue
If you password protect your WordPress Admin directory, then it will break the Ajax functionality in the front-end (if it is being used). In our case, we don’t have any plugins that is using ajax in the front-end. But if you do, then here is how you fix that issue.
Open the .htaccess file located in your /wp-admin/ folder (This is NOT the main .htaccess file that we edited above).
In the wp-admin .htaccess file, paste the following code:
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>
Source: Sivel
Hi,
Thank You very much for your article.
I was trying to add an additional login layer to wp-admin folder and was redirecting to – Too many redirects error -.
I searched a lot in Google and came across your article. This really helped me solve this issue.
Thank you once again.
it works well
but there is one problem .
when normal users Login and wants to go to dashboard and change some info like picture profile they must answer this user password too !!
is there any chance to set this protected folder for only admin or ignore it for normal users dashboard ?
No. You would have to do it for all users.
So , If i use this for All users , it means all users must have my USer, password for Protected Folder !!
so anyone can register and Anyone must have this user , password then any hacker can register as User in my site and get this user & pass !!
So Protecting Wp-admin is useful for only sites with one Admin or with some Special Users to share this user password …
You can create multiple users in .htpswd. You would have to use what is called a group.
ooohhh men thanks for your help :
ErrorDocument 401 default
works perfect !!!!!
Thanks for the tips. I have implemented password protection of Wp-Admin directory and also have added double authentication using Google Authenticator. It seems to work fine.
I recently migrated to a new host (Bluehost) and set up my WordPress site.
I have installed Wordfence security plugin. The configuration of the plugin is such that every time somebody logs in(including myself), I get an email alert. And also, if somebody attempts a login with an invalid username, then it locks out that IP Address for 10 minutes and sends an email notifying me that there has been a failed attempt to login.
Considering that I have password protected my Wp-admin directory, unless someone knows the user and and password for it, they cannot reach wp-admin or wp-login to attempt a login to my wordpress.
But last night I got few emails from Wordfence citing that there have been lock out of few IP Addresses for having made failed attempts to logon to WordPress using invalid usernames (like admin, Admin or nishant). Is it possible to bypass server side password protection of wp-admin directory and make an attempt to logon to WordPress?
Nishant
Also, I just noticed that…
When I use the URL directly to wp-login, i am shown the window of server side password for wp-admin directory. But when I click cancel on that password window(2 to 3 times), it displays the wp-login page!
But when the url is wp-admin, then when clickign cancel it displays “401 Authorization Required
Invalid login credentials!”
And the log files showed the invalid attmepts to login were tryign to access wp-login.php directly.
Yes wp-login.php is still accessible. But even if they get the right password, they won’t be able to see it. You can also use the same technique and password protect your wp-login.php file individually.
Dear author,
I am convinced I followed all of your directives, yet still I get the Firefox “endless loop” notification. This is what I did so far:
- I made a .htpasswds file in /.htpasswds/public_html/wp-admin/passwd (CHMOD 664)
- I made a .htaccess file with a generated hash / username and put it in /public_html/wp-admin
- I inserted the line ErrorDocument 401 default before all code into my main .htaccess file in /public_html
Could you please guide me to solving this problem. My main questions are:
- you say “make a file called ‘.htpasswds’ “. Is this in fact the correct filename ? I mean, with the s at the end included?
- exactly what path do I need to specify in my .htaccess file in my /public_html/wp-admin folder? Currently it says “AuthUserFile /.htpasswds/public_html/wp-admin/passwd” I’m not sure I’m doing this part right…
I’m looking forward to some clarification here…I have been wrestling with this a couple of hours now and I figure it shouldn’t be THAT hard?
Thank you very much in advance…if you require any more info I’m more than happy to provide it. Kind regards,
Bart
What type of hosting are you on? Do you have a cPanel web host? Can you try using the cPanel method to generate the htpswd file?
It’s really hard to tell what is going wrong because we wrote down the exact same thing that we did on our site.
I’d like to ask you guys a question: did it ever happen to you to have admin folder password protected and to be asked for authentication for EVERY post you read on your blog? It does happen with one of my blogs. I was wondering if it’s not better to protect the admin login with Google Authenticator or something similar instead…
If you are being asked to authenticate every single time, then one of the two is happening:
1. You pasted the .htaccess info in your main .htaccess file and not in the .htaccess file in the /wp-admin/ folder.
2. admin-ajax.php file is being loaded on the front-end. You need to add the rule to prevent that from being password protected. We have mentioned the fix for that.
Lastly, yes we have 3 layers of protection for our admin. IP match (if that doesn’t match, then the .htaccess password), and then there is Google Authenticator. We also have limit login attempts activated as well.
Sucuri also does a pretty good job at blocking other attacks.
i tried this method, but getting an error ” Error 310 (net::ERR_TOO_MANY_REDIRECTS): There were too many redirects. ”
How to fix this ???
The article has a section about that. Did that not fix this issue?
Yes, I fixed It. thanks for the tutorial.
Hi there.
I try to implement this protection. I tried the two solutions (manual and form the admin panel of my host). In both case, the .htacess is in the wp-admin folder, but the pop-up appears on every page.
Any idea where does that come from ?
Thanks
That is an unlikely behavior. Without looking at the specific situation, we can’t tell you why it is doing that. We do know that by following this tutorial as it is written, you should be able to make it work. We have it running on WPBeginner.
I just had the same problem with the pop-up appearing on almost every page on my wordpress website.
It turns out that on the pages where it was showing up, a wp-admin resource, in this case something from a plugin, was being pulled in and that seems to have triggered the pop up. I’ve since disabled the plugin and the password pop up no longer shows up on those pages.
So, I’d open the source and search for wp-admin to see what’s causing the pop up to appear.
The most common file that is loaded is admin-ajax.php, and we already covered that. If a plugin is loading another file, then yes you have to account for that.
I followed up as you said.
I protected my wp-admin directory and It’s working for login but the same popup is always coming out while navigating through site ????
This means that you have the code in the wrong .htaccess file. You need to create a brand new .htaccess file in your /wp-admin/ folder. It sounds like that you pasted the code in your main .htaccess file.
Hi,
I followed the suggestion found on your site. I created password from cpanel on the wp-admin folder and it done ok for admin login page but on every link that I click in the website, a popup will appear asking for identification. Everything is alright when I clicked cancel.
Do you know what is the issue with it?
I used the ErrorDocument 401 default on main .htaccees too.
Thanks
Can you please verify that the password protect thing is in a separate .htaccess file in your wp-admin folder?
I tried it and I got no window just a 404 error( too many http directs).
And I was blocked out of everything until I disabled the password. What gives?
Did you do the .htaccess trick we mentioned in the article which fixes the 404 error.
Thanks for the excellent help on wpbeginner!
I edited my .htaccess root file (to put the errordocument rule), and the pop-up worked well, but all my post links gives me a 404 error. I think that is a rewrite rule problem
Thanks
Go to your Settings > Permalinks. Just click save and hopefully that will solve the issue.
the permalink refresh worked! thanks, you saved me from many headaches..!
Really helpful info thanks, I just had a breach apparently, 3 files we added to my WordPress install. 1into wp-admin, 1 to wp-admin/images and 1 to wp-includes.
All were php files. One of them had base 64 encoded crap in it.
Will setup the htaccess in wp-admin, and limit login attempts plugin seems to provide done nice info.
Oh I was able to notice the files that were added to my install because WordPress file monitor plugin alerted me.
Hi,
I followed the suggestion found on the internet on how to secure wp-admin folder. I created a .htacess to password protect the folder. However after implementing it, on every link that I click in the website, a popup will appear asking for identification. Everything is alright when I clicked cancel. Do you know what is the issue with it? I want to secure my wp-admin folder but I don’t want the popup on all pages/links. Currently using Mayashop theme and woocommerce plugin only.
Thanks
Below is my sample of .htacess
Order allow,deny
Allow from all
Satisfy any
Order allow,deny
Allow from all
Satisfy any
Order allow,deny
Allow from all
Satisfy any
AuthType Basic
AuthName “Admin Only”
AuthUserFile “(myurl)/.htpasswds/public_html/wp-admin/passwd”
require valid-user
If your .htaccess file is in your /wp-admin/ then this shouldn’t happen. Unless you are loading WordPress admin assets on your front-end.
Well the .htaccess file is in wp-admin folder. I changed the theme back to twentyeleven and everything works fine. Only on the other theme, the authorisation required pops out on all pages/links.
I added below line and everything seems alright but when I got to url/wp-admin, it shows Error 310 (net::ERR_TOO_MANY_REDIRECTS): There were too many redirects. What is the reason?
Files ~ “\.(php)$”
Order allow,deny
Allow from all
Satisfy any
Files
Did you read the part of the article that talks about that error specifically?
Hi, I manage to solve it after a clean wordpress install. problem is I am now unable to create contact form as it will direct me to error 404 and when i activate xcloner plugin, it also redirect me to error 404.
Any help?
I have password protected wp-admin. But inspite of this someone is able to bruteforce on my blog. What may be the possible reason for this?
How do you know that they brute-forced and logged-in to your wp-admin? This sounds really suspicious. Often when this happens, the user has a backdoor in place.
I had got too many redirects loop and just adding this code
ErrorDocument 401 default
in .httaccess fixed the problem.
ErrorDocument 401 default saved my life
I use Cpanel and went through how it was to be set up and did that, also the user and passwor.
However, what I found out after hours of frustration is that the main .htaccess must have this added: ErrorDocument 401 default
If you add that only to the main .htaccess file it all works. at top before the begin wordpress your world will be much more relaxed. Thats after you set protect directory in cpanel
Thanks, used you page with a little twiking and its works great.
I’m getting so discouraged. My site hacked after only 2 days of being up! The amount of steps needed to take to protect the site is overwhelming, and then they still can get in…
And every “authority” seems to have a different opinion or approach or favorite plugins… my head is spinning…can you please give a basic numbered run down of steps to take to keep from getting hacked…including cpanel, backend wp, and any other things you might think helpful…and hopefully steps that don’t require an A+ cert….thanks man!
We really apologize for the experience you have had so far. Speaking from this moment, there are no known security issues in the WordPress core. So if you are using the most up to date version of WordPress, then that is good. Often the security issues are with poorly coded plugin and themes. Before you can secure your site, you have to clean it up. Sometimes, changing your passwords and adding all these measures are not enough. Because the hackers can leave backdoor access files which gives them shell access to your server. We highly recommend that you start using Sucuri and have regular backups.
http://www.wpbeginner.com/opinion/reasons-why-we-use-sucuri-to-improve-wordpress-security/
Make sure to keep your plugins and core files updated at all times. Don’t use plugin/themes from untrusted sources. WordPress has become the Windows of our time. Because there are so many sites using it, hackers have the motivation to find the exploits in plugins, themes etc.
We will work on creating a comprehensive tutorial on security.
I password protected my wp-admin on my sites but I was still getting lockout notices from lilmit login plugin. How could that be?
I then noticed if I type in /wp-login.php? instead and then cancel I can get to the login page. Uggggh. Makes me wonder what other workarounds there are that I don’t know of.
You should consider adding this trick as well.
http://www.wpbeginner.com/wp-tutorials/how-to-limit-access-by-ip-to-your-wp-login-php-file-in-wordpress/
THE SOLUTION FROM HOSTGATOR
It appears that a security plugin had added a rewrite to the .htaccess file within wp-admin/ for your account. This was causing the site to redirect to itself causing a redirect loop.
I have corrected the issue with .htaccess file and your wp-admin login page is loading correctly at this time.
If you have any other questions or concerns please let us know.
Sincerely,
Preston M.
Linux Systems Administrator
HostGator.com LLC
Had a host gator technician working half an hour on the 404 error issue. He could not resolve it.
He even removed all rewrite rules in the public_html/.htaccess
Still having “Too many redirects” error
The page isn’t redirecting properly
Firefox has detected that the server is redirecting the request for this address in a way that will never complete.
This problem can sometimes be caused by disabling or refusing to accept
cookies.
BUT I added:
“Redirect 301 /tag/tax/ http://snbchf.com/tag/taxes/
Redirect 301 /tag/interest-rate/ http://snbchf.com/tag/academical/
Redirect 301 /tag/chf-flows-floor-ubs/ http://snbchf.com
Redirect 301 /tag/boom/ http://snbchf.com
RewriteEngine on
ErrorDocument 401 default”
to my .htaccess in the public_html directory.
(tried also to put “ErrorDocument 401 default” at the start)
Its a great way to protect wp-admin directory. I was using it for long time but when I installed commentluv, I had to uninstall it as it was not able to work properly.
Do you happen to know any workaround ?
Just updated the article. Try that
Thanks, commentluv now works fine
FYI, I’ve seen this break plugins that use ajax on the front end by calling the wp-admin/admin-ajax.php.
Yes that is true. We weren’t using any plugin that was making that call. However, you can add an exception for that file in the .htaccess.
I am not sure what cpanel does but adding a simple htpasswd will get you the same result.
Well, you can add a htpasswd. But you would also have to create a .htaccess rule in wp-admin directory to specify that you are locking the directory. Then specify the user or usergroup that is allowed etc. This basically helps us simplify the process.
The above tutorial is in fact adding security with .htpassword and .htaccess via a user friendly interface in cPanel. After you’ve done the above you’ll notice a .httpassword file has been generated outside your server root (for security reasons) and within the file you’ll find the info you’ve enered as per this tutorial.
On every WP site I have, on my very first login after setup, I create another admin account with a name for which I use a formula to construct — and a very strong, computer-generated password. I then long out, and then login to the alternate admin account, and reduce the standard admin username to “no role for this site” and set a computer-generated password that is at least 35 characters long. I don’t bother to save that password anywhere. It’s now only a honeypot.
Then I install the “limit login attempts” plugin. Any time that gets tripped, I add the offending IP address to my deny list in .htaccess to make sure that IP can’t reach my site.
I trap 3 or 4 attempts to break into admin every week.
Yes we had that too. There comes a point when attacks are bouncing IPs. Banning a huge range of IPs is not a sufficient option. We also had login restricted by IP as well, but that didn’t seem to be doing the job either.
The “limit login attempts” plugin is pretty good. I have it set to shut off for 100 hours after 4 failed attempts, with the 4th lockout set for 4000 hours. So, even if the perp can dynamically switch IPs, he has to do so every four tries. And with a really long random password, that should take a couple of centuries, and more IP addresses than he is likely to be able to access.
In the highly unlikely case they crack my “admin” it won’t do them any good anyway. Any time I notice that the scumbag has actually figured out what my real admin name is (only happened once so far), I immediately create a new one, and set the old one to “no role for this site” with a really long randomly-generated password. There are a few other details (e.g., first, I have to change the email address before it will let me create the new admin account with my email), but that pretty much did the trick on that one.
I really don’t know if this is bulletproof, but I’m hoping the scumbags decide it’s too much work and go pick on a weaker site.
” Any time I notice that the scumbag has actually figured out what my real admin name is…” can I ask you how did you figure that?
@zimbrul Sure.
The limit login attempts plugin tells me which user name is under attack. Usually, it’s “admin” but there was one occasion where I saw my real admin account’s name. So I created a new admin account, and left the old one there, but gutted of any access, and with a ridiculously long password.
I’m not sure how the perp found the admin account since I assigned it an unrelated “nickname” that appears on postings. I’m guessing there is some file on the server that can be at least partially read by a hacker, and I probably need to research that.
Its fairly easy to find the login name. All the person has to do is look at your author URL to know your username. For example this:
http://www.wpbeginner.com/author/wpbeginner/
The username would be “wpbeginner”. For most sites that is the case unless ofcourse they have changed the username like shown in this technique:
http://www.wpbeginner.com/wp-tutorials/how-to-change-your-wordpress-username/
If you do it like that, then your username will change, but your author URL would not.
Howard, that’s an interesting point; I’ll try to implement that.
Also I had problems with 404 errors or too many redirects and I didn’t know the fix, thanks for that!
For some reason, banning the IP address in .htaccess in wp-admin folder is not working for my site zimbrul.co.uk ! I’ve tried to access my site from my mobile phone on 3G and I could get through even the only allowed IP was the home IP.
Yeah, this is why it helps to have double authentication like this.