Protecting your wp-admin directory and WordPress dashboard with an htaccess file is a vital procedure when locking down your WordPress blog or website. As a blogger and webmaster you know that once a malicious user gains access to your WordPress dashboard, it is game over. By adding an extra layer of server-side security you are also protecting your WordPress installation against zero day vulnerabilities that might be discovered in WordPress wp-admin scripts.
In this article we will explain how to manualy add an extra layer of security to protect your WordPress wp-admin files by implementing basic authentication (HTTP authentication). If you are using a hosted solution, such as HostGator you can add an additional layer of security by adding additional authentication from CPanel.
Create a password file for your WordPress
To password protect your WordPress admin area you have to create an Apache htpasswd file. The .htpasswd file is like a database of usernames and passwords which the web server will use to authenticate users. You can create such file by using an online password file generator or by referring to the How to create an Apache password file htpasswd tutorial. Alternatively drop us an email and we will generate the htpasswd file for you for FREE.
Create an Apache htaccess File
Once you create an htpasswd file, you also have to create an .htaccess file which should be uploaded to the wp-admin directory of your WordPress installation. If there is no .htaccess file in your website’s wp-admin directory you have to create a new one. If there is already an .htaccess file, make a backup copy and edit the existing one.
WP White Security Webmaster Tip: When you connect to your website using an FTP client, sometimes .htaccess files don’t show. To confirm if you already have htaccess files on your website make sure that the option on your FTP client to force showing of hidden files is enabled.
Some operating systems such as Windows do not allow you to create a .htaccess file. In such cases use an advanced text editor such as PspAd to create a new the file. Once you create your new file, add the below content to to your .htaccess file:
# enable basic authentication AuthType Basic # this text is displayed in the login dialog AuthName “Restricted Area” # The absolute path of the Apache htpasswd file. You should edit this AuthUserFile /path/to/.htpasswd # Allows any user in the .htpasswd file to access the directory require valid-user
Save the file and upload it to your WordPress wp-admin directory. Once it is set up, anyone who tries to access http://[yourdomain.com]/wp-admin, or try to login to the WordPress dashboard, they have to first authenticate with the Apache web server before accessing the WordPress dashboard login page. Below is a screenshot of the HTTP authentication dialog box.
WP White Security Security Tip: Basic HTTP authentication is easy to implement but keep in mind that passwords are sent over the internet Base 64 encoded and in plain text. If you want a more secure solution you should use basic authentication over HTTPS.
Troubleshooting basic authentication problems
As we have seen above implementing basic authentication to protect your WordPress wp-admin directory is a straight forward process. If after implementing web server authentication you try to access the wp-admin directory and you receive an HTTP 500 Error, Internal Server error, the problem is the password file path specified in the AuthUserFile directive. This path you specify should be the full absolute path from the absolute root of the server.
Allowing front end Ajax functionality
Some WordPress plugins use Ajax functionality in WordPress. This means that such plugins might need access to the file admin-ajax.php which can is found in the wp-admin directory. To allow anonymous access to such file for the WordPress plugins to function, add the below to the .htaccess file you just created in this tutorial.
<Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files>
WP White Security Webmaster Tip: If you have doubts if any of your plugins use WordPress front end Ajax, simply password protect the wp-admin directory and confirm that the website is still fully functional. If not, allow access to admin-ajax.php file as suggested above.
Protecting the WordPress login page with HTTP authentication is not enough. There is much more you can do to keep your WordPress secure, as explain in this detailed list of WordPress security tweaks.