Even though the WordPress administrator dashboard, or as most know it the WordPress wp-admin directory is password protected from a WordPress username and password, ideally one should add an additional layer of security by adding additional authentication controlled by the web server. By doing so, you are also protecting your WordPress installation from newly discovered zero day vulnerabilities.
If you host WordPress on your own server, you can add an additional layer of security to your WordPress wp-admin directory manually by adding additional HTTP authentication using an htaccess file. Alternatively, if you use a web hosting solution you can also add this additional layer of security from the hosting provider CPanel. In this article we will explain in step by step how to add additional authentication using the CPanel.
Add additional security to WordPress wp-admin from CPanel
- Login to your hosting provider CPanel and scroll down to the Security section shown in the below screenshot.
- Click on Password Protect Directories which is highlighted in the above screenshot.
- Once you click on it, a pop up window will show up asking you to specify a directory location. You can specify the web root directory.
- Once you are in the directory explorer window, navigate to the directory where your WordPress is hosted and click on the /wp-admin/ directory.
WP White Security CPanel Tip: In the CPanel directory explorer you have to click on the directory icon to browse its contents. If you click on the directory name that directory will be password protected.
- Once you select the WorPress wp-admin directory, you are presented with the page shown in the below screenshot. Confirm the path of the directory is correct (highlighted as 1) and tick the option Password protect this directory and specify a user friendly name in the Name the protected directory as shown in the below screenshot.
- Click the Save button to save the changes.
- The next step is to create an HTTP username and password to access this directory. Click the back button and scroll down to the section Create User which highlighted in the above screenshot as 2.
- Specify a username and a strong password and once done click on Add/modify authorized user. If you already have an existing user, you can modify such user by highlighting it in the list.
WP White Security Security Tip: A strong password must be at least 8 characters long and should not be a predictable dictionary word. Use upper case and lower case letter, numbers and special characters such as !? etc.
Now you’re done. You can test if this works by trying to access your WordPress dashboard (/wp-admin/ section). Upon accessing the WordPress administrator dashboard an HTTP authentication window should appear like the below.
Allowing front end Ajax functionality
Some WordPress plugins use Ajax functionality in WordPress. This means that such plugins might need access to the file admin-ajax.php which can is found in the wp-admin directory. To allow anonymous access to such file for the WordPress plugins to function you should allow front end Ajax functionality.