Add Additional WordPress wp-admin HTTP Authentication from CPanel

Last updated on April 29th, 2019 by Robert Abela. Filed under WordPress Security Tutorials & Tips

Even though the WordPress administrator dashboard, or as most know it the WordPress wp-admin directory is password protected from a WordPress username and password, ideally one should add an additional layer of security by adding additional authentication controlled by the web server. By doing so, you are also protecting your WordPress installation from newly discovered zero day vulnerabilities.

If you host WordPress on your own server, you can add an additional layer of security to your WordPress wp-admin directory manually by adding additional HTTP authentication using an htaccess file. Alternatively, if you use a web hosting solution you can also add this additional layer of security from the hosting provider CPanel. In this article we will explain in step by step how to add additional authentication using the CPanel.

Add additional security to WordPress wp-admin from CPanel

  1. Login to your hosting provider CPanel and scroll down to the Security section shown in the below screenshot.

CPanel Security Section to password protect a directory

  1. Click on Password Protect Directories which is highlighted in the above screenshot.
  2. Once you click on it, a pop up window will show up asking you to specify a directory location. You can specify the web root directory.
  3. Once you are in the directory explorer window, navigate to the directory where your WordPress is hosted and click on the /wp-admin/ directory.

WP White Security CPanel Tip: In the CPanel directory explorer you have to click on the directory icon to browse its contents. If you click on the directory name that directory will be password protected.

  1. Once you select the WorPress wp-admin directory, you are presented with the page shown in the below screenshot. Confirm the path of the directory is correct (highlighted as 1) and tick the option Password protect this directory and specify a user friendly name in the Name the protected directory as shown in the below screenshot.

Enable Password Protection to a directory in CPanel and create a new HTTP authentication user

  1. Click the Save button to save the changes.
  2. The next step is to create an HTTP username and password to access this directory. Click the back button and scroll down to the section Create User which highlighted in the above screenshot as 2.
  3. Specify a username and a strong password and once done click on Add/modify authorized user. If you already have an existing user, you can modify such user by highlighting it in the list.

WP White Security Security Tip: A strong password must be at least 8 characters long and should not be a predictable dictionary word. Use upper case and lower case letter, numbers and special characters such as !? etc.

Now you’re done. You can test if this works by trying to access your WordPress dashboard (/wp-admin/ section). Upon accessing the WordPress administrator dashboard an HTTP authentication window should appear like the below.

HTTP authentication window | additional authentication to the WordPress administrator dashboard

Allowing front end Ajax functionality

Some WordPress plugins use Ajax functionality in WordPress. This means that such plugins might need access to the file admin-ajax.php which can is found in the wp-admin directory. To allow anonymous access to such file for the WordPress plugins to function you should allow front end Ajax functionality.

WordPress Hosting, Firewall and Backup

This Website is:

6 comments

resse 13/07/2015

Protecting wp-admin trough cPanel says

The page isn’t redirecting properly

Firefox has detected that the server is redirecting the request for this address in a way that will never complete.

This problem can sometimes be caused by disabling or refusing to accept cookies.

Here is the generated .htaccess from cPanel

AuthType Basic
AuthName “Admin Area”
AuthUserFile “/home/somname/.htpasswds/public_html/wp-admin/passwd”
require valid-user

Any idea why browser is not displaying the dashboard? I also added the ajax functionality but still no luck.

Hoping for your help thanks!

Robert Abela 14/07/2015

Hello Resse,

Unfortunately it is very difficult to troubleshoot such issue without having access to the website and doing some proper troubleshooting. Hence if you haven’t solved your problem yet drop us an email on support@wpwhitesecurity.com and we will look into it.

Peter 16/10/2015

same problem here, also got the redirection error 🙁

Robert Abela 22/10/2015

Hello Peter, if you need help setting this up drop us an email on support@wpwhitesecurity.com

Stergios 06/11/2017

Hello,
Excellent post, well done!
I have a question:
After the password protection of my wp-admin area what can I do to allow the Google bot that needs to crawl my website eg “https://www.mywebsite.net/wp-admin/nav-menus.php”?
Thanks in advance,
Stergios

Robert Abela 21/11/2017

Hello Stergios, you can always make an exception for some files and allow access via the .htaccess file. For example:


directives

You can refer to our definitive guide to htaccess and WordPress for more information on how this can be done.

Leave a Reply

Your email address will not be published. Required fields are marked *