Even though the WordPress administrator dashboard, or as most know it the WordPress wp-admin directory is password protected from a WordPress username and password, ideally one should add an additional layer of security by adding additional authentication controlled by the web server. By doing so, you are also protecting your WordPress installation from newly discovered zero day vulnerabilities.
If you host WordPress on your own server, you can add an additional layer of security to your WordPress wp-admin directory manually by adding additional HTTP authentication using an htaccess file. Alternatively, if you use a web hosting solution you can also add this additional layer of security from the hosting provider CPanel. In this article we will explain in step by step how to add additional authentication using the CPanel.
Add additional security to WordPress wp-admin from CPanel
- Login to your hosting provider CPanel and scroll down to the Security section shown in the below screenshot.
- Click on Password Protect Directories which is highlighted in the above screenshot.
- Once you click on it, a pop up window will show up asking you to specify a directory location. You can specify the web root directory.
- Once you are in the directory explorer window, navigate to the directory where your WordPress is hosted and click on the /wp-admin/ directory.
WP White Security CPanel Tip: In the CPanel directory explorer you have to click on the directory icon to browse its contents. If you click on the directory name that directory will be password protected.
- Once you select the WorPress wp-admin directory, you are presented with the page shown in the below screenshot. Confirm the path of the directory is correct (highlighted as 1) and tick the option Password protect this directory and specify a user friendly name in the Name the protected directory as shown in the below screenshot.
- Click the Save button to save the changes.
- The next step is to create an HTTP username and password to access this directory. Click the back button and scroll down to the section Create User which highlighted in the above screenshot as 2.
- Specify a username and a strong password and once done click on Add/modify authorized user. If you already have an existing user, you can modify such user by highlighting it in the list.
WP White Security Security Tip: A strong password must be at least 8 characters long and should not be a predictable dictionary word. Use upper case and lower case letter, numbers and special characters such as !? etc.
Now you’re done. You can test if this works by trying to access your WordPress dashboard (/wp-admin/ section). Upon accessing the WordPress administrator dashboard an HTTP authentication window should appear like the below.
Allowing front end Ajax functionality
Some WordPress plugins use Ajax functionality in WordPress. This means that such plugins might need access to the file admin-ajax.php which can is found in the wp-admin directory. To allow anonymous access to such file for the WordPress plugins to function you should allow front end Ajax functionality.
Protecting wp-admin trough cPanel says
The page isn’t redirecting properly
Firefox has detected that the server is redirecting the request for this address in a way that will never complete.
This problem can sometimes be caused by disabling or refusing to accept cookies.
Here is the generated .htaccess from cPanel
AuthName “Admin Area”
Any idea why browser is not displaying the dashboard? I also added the ajax functionality but still no luck.
Hoping for your help thanks!
Unfortunately it is very difficult to troubleshoot such issue without having access to the website and doing some proper troubleshooting. Hence if you haven’t solved your problem yet drop us an email on email@example.com and we will look into it.
same problem here, also got the redirection error 🙁
Hello Peter, if you need help setting this up drop us an email on firstname.lastname@example.org
Excellent post, well done!
I have a question:
After the password protection of my wp-admin area what can I do to allow the Google bot that needs to crawl my website eg “https://www.mywebsite.net/wp-admin/nav-menus.php”?
Thanks in advance,
Hello Stergios, you can always make an exception for some files and allow access via the .htaccess file. For example:
You can refer to our definitive guide to htaccess and WordPress for more information on how this can be done.