Protecting your wp-admin directory and WordPress dashboard with an .htaccess file is a vital procedure when locking down your WordPress blog or website. As a blogger and webmaster you know that once a malicious user gains access to your WordPress dashboard, it is game over. By adding an extra layer of server-side security you are also hardening your WordPress installation against zero day vulnerabilities that might be discovered in WordPress wp-admin scripts.
In this article we will explain how to manually add an extra layer of security to protect your WordPress wp-admin files by implementing basic authentication (HTTP authentication).
Create a password file for your WordPress
To password protect your WordPress admin area you have to create an Apache htpasswd file. The .htpasswd file is like a database of usernames and passwords which the web server will use to authenticate users. You can create such file by using an online password file generator or by referring to the How to create an Apache password file htpasswd tutorial.
Create an Apache htaccess File
Once you create an htpasswd file, you also have to create an .htaccess file which should be uploaded to the wp-admin directory of your WordPress installation. If there is no .htaccess file in your website’s wp-admin directory you have to create a new one. If there is already an .htaccess file, make a backup copy and edit the existing one.
WP White Security Webmaster Tip: When you connect to your website using an FTP client, sometimes .htaccess files don’t show. To confirm if you already have htaccess files on your website make sure that the option on your FTP client to force showing of hidden files is enabled.
Some operating systems such as Windows do not allow you to create a .htaccess file. In such cases use an advanced text editor such as PspAd to create a new the file. Once you create your new file, add the below content to to your .htaccess file:
# enable basic authentication AuthType Basic # this text is displayed in the login dialog AuthName “Restricted Area” # The absolute path of the Apache htpasswd file. You should edit this AuthUserFile /path/to/.htpasswd # Allows any user in the .htpasswd file to access the directory require valid-user
Save the file and upload it to your WordPress wp-admin directory. Once it is set up, anyone who tries to access http://[yourdomain.com]/wp-admin, or try to login to the WordPress dashboard, they have to first authenticate with the Apache web server before accessing the WordPress dashboard login page. Below is a screenshot of the HTTP authentication dialog box.
WP White Security Security Tip: Basic HTTP authentication is easy to implement but keep in mind that passwords are sent over the internet Base 64 encoded and in plain text. If you want a more secure solution you should use basic authentication over HTTPS.
Troubleshooting basic authentication problems
As we have seen above implementing basic authentication to protect your WordPress wp-admin directory is a straight forward process. If after implementing web server authentication you try to access the wp-admin directory and you receive an HTTP 500 Error, Internal Server error, the problem is the password file path specified in the AuthUserFile directive. This path you specify should be the full absolute path from the absolute root of the server.
Allowing front end Ajax functionality
Some WordPress plugins use Ajax functionality in WordPress. This means that such plugins might need access to the file admin-ajax.php which can is found in the wp-admin directory. To allow anonymous access to such file for the WordPress plugins to function, add the below to the .htaccess file you just created in this tutorial.
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>
WP White Security Webmaster Tip: If you have doubts if any of your plugins use WordPress front end Ajax, simply password protect the wp-admin directory and confirm that the website is still fully functional. If not, allow access to admin-ajax.php file as suggested above.
13 comments
Great article… A couple of points you might want to mention as well: It is strongly recommended that you only connect to your hosting account using SFTP (as opposed to FTP) and also that you do not store your hosting password in your FTP client…
I recently had some security problems with my WordPress sites, and ended up doing a lot of research into securing WordPress sites…
Hi Anders,
Very good point indeed and well done with the check list. Will definitely check it out.
When password protecting wp-admin, it’s important to carve out an exemption for admin-ajax.php or any plugins that rely on AJAX are going to fail for people who aren’t logged in.
The codex has a great article on Hardening WordPress that shows exactly how to do this in your .htaccess file.
Hi Dave,
Thanks for your reply. Very good point you mentioned there. I just updated this tutorial to include what you suggested, i.e. how to allow access to admin-ajax.php when wp-admin is password protected.
I never thought that this is possible. I will use this on one of my blog sites and see what happens. I am using captcha on my other sites but I think this will do better.
Yes it is possible. Try it out and if you have any issues, let us know 🙂
did it and it works fine, but now all other subscribers have to know my .htpasswd to login and new subscribers also, is it possible to circumvent this?
regards
Hi John,
Thank you for following our blog.
This setup guide was written for anyone who has a website without subscribers, of course unless you want to create a difference user in the .htpasswd file for each user, which is not recommended. If you would like to have subscribers I would recommend you to use a different login URL for the subscribers. I know it is possible but unfortunately do not know much about such setup, hence can’t help you much here, sorry. Though if you manage to set it up would appreciate if you share your findings with us.
Great article! Security is most important fiera wp new user. Thanks!
Don’t use this if you are using woocommerce as it breaks the password reset functionality
HI Solace,
Thank you for your comment. HTTP authentication should not be used when you have members of the public (including clients via WooCommerce or any other online shopping cart plugin) that need to login. Else you have to provide them with a HTTP authentication username as well.
This type of hardening is good when you only have authors or users to whom you can send the HTTP authentication details.
Hi, just wondering…
shouldn’t you also indicate what “.htpasswd” should consist of?
I found it at https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication
user:password
Unfortunately as almost always with computer programming (in my case) even following exactly the most simple instructions… it still doesn’t work.
Identification window comes up, ok. But then using user and password (as example), the system tells me they are wrong and I get no access.
The positive thing would be that hackers would have no access either, which this is all about…
Hi Riccardo,
Thanks for reaching out!
Indeed, the format of the file is always – username:password.
However, this is not something you can do manually. You have to use the htpasswd tool to generate it. Hence why we did not post anything about it.
Should you have any other concerns, make sure to let us know!
Best,
Rado