As you read the title, you are probably wondering isn’t the wp-admin directory already password protected. You are required to login right. Well that is true, but to add an additional layer of security popular sites often add an extra layer of authentication. Few days ago, we started seeing some suspicious activity on WPBeginner, so our host HostGator advised us to password protect our WordPress admin directory. Apparently popular sites like Mashable do the same. In this article, we will show you a step by step guide on how to password protect your WordPress admin (wp-admin) directory.
To keep things easy and simple, we will only cover cPanel web hosting companies here just because cPanel has an easy enough interface to add password protected directories.
Login to your cPanel. Scroll down till you see the Security Tab. Click on the “Password Protect Directories” icon.
When you click on that, a lightbox popup will show up asking for directory location. Just click on web root. Once you are there, navigate to the folder where your WordPress is hosted. Then click on the /wp-admin/ folder. You will see a screen like this:
Simply check the box to password protect the directory. Then create a user for the directory. That is it. Now when you try to access your wp-admin directory, you should see an authentication required box like this:
Manual Method
First create a .htpasswds file. You can do so easily by using this generator. Upload this file outside your /public_html/ directory. A good path would be:
home/user/.htpasswds/public_html/wp-admin/passwd/
Then, create a .htaccess file and upload it in /wp-admin/ directory. Then add the following codes in there:
AuthName "Admins Only" AuthUserFile /home/yourdirectory/.htpasswds/public_html/wp-admin/passwd AuthGroupFile /dev/null AuthType basic require user putyourusernamehere
You must update your username in there. Also don’t forget to update the AuthUserFile location path.
I have a 404 Error or a Too many redirects error
Well this can happen depending on how your server is configured. To fix this issue, open your main WordPress .htaccess file and add the following code there before the WordPress rules start.
ErrorDocument 401 default
Well there you have it. Now you have double authentication for your WordPress admin area. This is a good alternative to limiting wp-admin access by IP address.
Update: Here is how to fix the Admin Ajax Issue
If you password protect your WordPress Admin directory, then it will break the Ajax functionality in the front-end (if it is being used). In our case, we don’t have any plugins that is using ajax in the front-end. But if you do, then here is how you fix that issue.
Open the .htaccess file located in your /wp-admin/ folder (This is NOT the main .htaccess file that we edited above).
In the wp-admin .htaccess file, paste the following code:
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>
Source: Sivel
The first method through cPanel worked like a charm. However, when I logout again from WP and login again it doesn’t ask again for the directory password. Is it meant to ask only once?
Your cookies/cache will remember the login information. Normally the next time you start up your computer it will require you to log in again.
Very good, Thank you…
You’re welcome
The “Password Protect Directories” is not on my cPanel under “securitiy”, so I tried the manual way, but it doesn’t seem to work as it doesn’t ask for login when I open wp-admin…
If you reach out to your hosting provider they should be able to assist and take a look if there’s any reason it wouldn’t be working.
Thanks for your efforts!
I used cpanel method it works fine but the problem is that the password prompt appearing on every page of my website!
What i have to do so that it appear only at wp-admin page?
It sounds like you may have password protected your public_html folder instead of the wp-admin folder. You would want to remove the current protection and attempt to set it up again