Home Blog WordPress Security Add Additional WordPress wp-admin HTTP Authentication from CPanel

Adding Additional WP Admin HTTP Authentication from cPanel

Add Additional WordPress wp-admin HTTP Authentication from CPanel

Even though the WordPress administrator dashboard, or as most know it the WordPress wp-admin directory is password protected from a WordPress username and password, ideally one should add an additional layer of security by adding additional authentication controlled by the web server. By doing so, you are also protecting your WordPress installation from newly discovered zero day vulnerabilities.

If you host WordPress on your own server, you can add an additional layer of security to your WordPress wp-admin directory manually by adding additional HTTP authentication using an htaccess file. Alternatively, if you use a web hosting solution you can also add this additional layer of security from the hosting provider CPanel. In this article we will explain in step by step how to add additional authentication using the CPanel.

Add additional security to WordPress wp-admin from CPanel

  1. Login to your hosting provider CPanel and scroll down to the Security section shown in the below screenshot.
CPanel Security Section to password protect a directory
  1. Click on Password Protect Directories which is highlighted in the above screenshot.
  2. Once you click on it, a pop up window will show up asking you to specify a directory location. You can specify the web root directory.
  3. Once you are in the directory explorer window, navigate to the directory where your WordPress is hosted and click on the /wp-admin/ directory.

WP White Security CPanel Tip: In the CPanel directory explorer you have to click on the directory icon to browse its contents. If you click on the directory name that directory will be password protected.

  1. Once you select the WorPress wp-admin directory, you are presented with the page shown in the below screenshot. Confirm the path of the directory is correct (highlighted as 1) and tick the option Password protect this directory and specify a user friendly name in the Name the protected directory as shown in the below screenshot.
Enable Password Protection to a directory in CPanel and create a new HTTP authentication user
  1. Click the Save button to save the changes.
  2. The next step is to create an HTTP username and password to access this directory. Click the back button and scroll down to the section Create User which highlighted in the above screenshot as 2.
  3. Specify a username and a strong password and once done click on Add/modify authorized user. If you already have an existing user, you can modify such user by highlighting it in the list.

WP White Security Security Tip: A strong password must be at least 8 characters long and should not be a predictable dictionary word. Use upper case and lower case letter, numbers and special characters such as !? etc.

Now you’re done. You can test if this works by trying to access your WordPress dashboard (/wp-admin/ section). Upon accessing the WordPress administrator dashboard an HTTP authentication window should appear like the below.

HTTP authentication window | additional authentication to the WordPress administrator dashboard

Allowing front end Ajax functionality

Some WordPress plugins use Ajax functionality in WordPress. This means that such plugins might need access to the file admin-ajax.php which can is found in the wp-admin directory. To allow anonymous access to such file for the WordPress plugins to function you should allow front end Ajax functionality.


6 thoughts on “Add Additional WordPress wp-admin HTTP Authentication from CPanel

  1. Protecting wp-admin trough cPanel says

    The page isn’t redirecting properly

    Firefox has detected that the server is redirecting the request for this address in a way that will never complete.

    This problem can sometimes be caused by disabling or refusing to accept cookies.

    Here is the generated .htaccess from cPanel

    AuthType Basic
    AuthName “Admin Area”
    AuthUserFile “/home/somname/.htpasswds/public_html/wp-admin/passwd”
    require valid-user

    Any idea why browser is not displaying the dashboard? I also added the ajax functionality but still no luck.

    Hoping for your help thanks!

  2. Hello,
    Excellent post, well done!
    I have a question:
    After the password protection of my wp-admin area what can I do to allow the Google bot that needs to crawl my website eg “https://www.mywebsite.net/wp-admin/nav-menus.php”?
    Thanks in advance,
    Stergios


Leave a Reply

Your email address will not be published. Required fields are marked *

Stay in the loop

Subscribe to the Melapress newsletter and receive curated WordPress management and security tips and content.

Newsletter icon

It’s free and you can unsubscribe whenever you want. Check our blog for a taste.

Envelope icon