Securing The WordPress wp-admin Directory with HTTP Authentication

Last updated on August 27th, 2019 by Robert Abela. Filed under WordPress Security Tutorials & Tips

Protecting your wp-admin directory and WordPress dashboard with an .htaccess file is a vital procedure when locking down your WordPress blog or website. As a blogger and webmaster you know that once a malicious user gains access to your WordPress dashboard, it is game over. By adding an extra layer of server-side security you are also protecting your WordPress installation against zero day vulnerabilities that might be discovered in WordPress wp-admin scripts.

In this article we will explain how to manually add an extra layer of security to protect your WordPress wp-admin files by implementing basic authentication (HTTP authentication).

New to htaccess? Check out our Definitive Guide to htaccess and WordPress!

Create a password file for your WordPress

To password protect your WordPress admin area you have to create an Apache htpasswd file. The .htpasswd file is like a database of usernames and passwords which the web server will use to authenticate users. You can create such file by using an online password file generator or by referring to the How to create an Apache password file htpasswd tutorial.

Create an Apache htaccess File

Once you create an htpasswd file, you also have to create an .htaccess file which should be uploaded to the wp-admin directory of your WordPress installation. If there is no .htaccess file in your website’s wp-admin directory you have to create a new one. If there is already an .htaccess file, make a backup copy and edit the existing one.

WP White Security Webmaster Tip: When you connect to your website using an FTP client, sometimes .htaccess files don’t show. To confirm if you already have htaccess files on your website make sure that the option on your FTP client to force showing of hidden files is enabled.

Some operating systems such as Windows do not allow you to create a .htaccess file. In such cases use an advanced text editor such as PspAd to create a new the file. Once you create your new file, add the below content to to your .htaccess file:

# enable basic authentication
AuthType Basic
# this text is displayed in the login dialog
AuthName “Restricted Area”
# The absolute path of the Apache htpasswd file. You should edit this
AuthUserFile /path/to/.htpasswd
# Allows any user in the .htpasswd file to access the directory
require valid-user

Save the file and upload it to your WordPress wp-admin directory. Once it is set up, anyone who tries to access http://[yourdomain.com]/wp-admin, or try to login to the WordPress dashboard, they have to first authenticate with the Apache web server before accessing the WordPress dashboard login page. Below is a screenshot of the HTTP authentication dialog box.

web server http authentication dialog box

WP White Security Security Tip: Basic HTTP authentication is easy to implement but keep in mind that passwords are sent over the internet Base 64 encoded and in plain text. If you want a more secure solution you should use basic authentication over HTTPS.

Troubleshooting basic authentication problems

As we have seen above implementing basic authentication to protect your WordPress wp-admin directory is a straight forward process. If after implementing web server authentication you try to access the wp-admin directory and you receive an HTTP 500 Error, Internal Server error, the problem is the password file path specified in the AuthUserFile directive. This path you specify should be the full absolute path from the absolute root of the server.

Allowing front end Ajax functionality

Some WordPress plugins use Ajax functionality in WordPress. This means that such plugins might need access to the file admin-ajax.php which can is found in the wp-admin directory. To allow anonymous access to such file for the WordPress plugins to function, add the below to the .htaccess file you just created in this tutorial.

<Files admin-ajax.php>
    Order allow,deny
    Allow from all
    Satisfy any
</Files>

WP White Security Webmaster Tip: If you have doubts if any of your plugins use WordPress front end Ajax, simply password protect the wp-admin directory and confirm that the website is still fully functional. If not, allow access to admin-ajax.php file as suggested above.

WordPress Hosting, Firewall and Backup

This Website is:

11 comments

Anders Vinther 13/08/2012

Great article… A couple of points you might want to mention as well: It is strongly recommended that you only connect to your hosting account using SFTP (as opposed to FTP) and also that you do not store your hosting password in your FTP client…

I recently had some security problems with my WordPress sites, and ended up doing a lot of research into securing WordPress sites…

John Bonello 14/08/2012

Hi Anders,

Very good point indeed and well done with the check list. Will definitely check it out.

Dave Ross 03/11/2012

When password protecting wp-admin, it’s important to carve out an exemption for admin-ajax.php or any plugins that rely on AJAX are going to fail for people who aren’t logged in.

The codex has a great article on Hardening WordPress that shows exactly how to do this in your .htaccess file.

John Bonello 03/11/2012

Hi Dave,

Thanks for your reply. Very good point you mentioned there. I just updated this tutorial to include what you suggested, i.e. how to allow access to admin-ajax.php when wp-admin is password protected.

RC Organo Jr 16/01/2013

I never thought that this is possible. I will use this on one of my blog sites and see what happens. I am using captcha on my other sites but I think this will do better.

John Bonello 16/01/2013

Yes it is possible. Try it out and if you have any issues, let us know 🙂

john 21/08/2014

did it and it works fine, but now all other subscribers have to know my .htpasswd to login and new subscribers also, is it possible to circumvent this?

regards

Robert Abela 24/08/2014

Hi John,

Thank you for following our blog.

This setup guide was written for anyone who has a website without subscribers, of course unless you want to create a difference user in the .htpasswd file for each user, which is not recommended. If you would like to have subscribers I would recommend you to use a different login URL for the subscribers. I know it is possible but unfortunately do not know much about such setup, hence can’t help you much here, sorry. Though if you manage to set it up would appreciate if you share your findings with us.

Giovanni 08/01/2016

Great article! Security is most important fiera wp new user. Thanks!

solace 19/09/2017

Don’t use this if you are using woocommerce as it breaks the password reset functionality

Robert Abela 19/09/2017

HI Solace,

Thank you for your comment. HTTP authentication should not be used when you have members of the public (including clients via WooCommerce or any other online shopping cart plugin) that need to login. Else you have to provide them with a HTTP authentication username as well.

This type of hardening is good when you only have authors or users to whom you can send the HTTP authentication details.

Leave a Reply

Your email address will not be published. Required fields are marked *