WP Admin Directory is an essential directory for every WordPress sites. It has all the necessary files which make WordPress run. Security is a major concern for every blogger. While securing the blog, bloggers do not leave a single way through which they can provide security their best.
Securing WordPress also involves protecting WP-admin directory. As a blogger, you must know that once a hacker gains access to your WordPress dashboard, it is game over. So adding an extra layer of security is always best.
In this guide, I will show you how to secure and password protects WordPress Admin directory and wp-login.php from invalid login attempts.
Protecting WordPress Admin directory is an easy way to add additional protection against bots and hackers. To complete this protection, follow the below steps:
- Login to cPanel.
- Click Directory Privacy under Files.
- Go to public_html directory
- Click the text of wp-admin.
- Click the checkbox next to Password protect this directory.
- Enter a phrase such as Protected in the Name for the protected directory.
- Now create a new username and password. This will the same username and password you will have to use when you visit yourdomain.com/wp-admin/.
Use password generator option to create a strong password.
- Click Save button.
- Now, go back to the main cPanel page.
- Open file manager. Make sure you have selected Show Hidden Files with the pop-up.
- Navigate to the wp-admin folder.
- Right Click the .htaccess file and click Code Edit and click Edit on a popup.
- Now, you have to add following code at the bottom of the file wp-admin/.htaccess
ErrorDocument 401 "Denied" ErrorDocument 403 "Denied" AuthType Basic AuthName "Protected" AuthUserFile "/home/example/.htpasswds/public_html/wp-admin/passwd" require valid-user
- Now click on Save Changes button at the top.
This code allows WordPress to recognize this additional password protection.
This will password protect your complete wp-admin directory. Still one can easily get access using the wp-login.php file, so to password protect it add following code to the root .htaccess file.
ErrorDocument 401 "Denied" ErrorDocument 403 "Denied" <FilesMatch "wp-login.php"> AuthType Basic AuthName "Protected" AuthUserFile "/home/example/.htpasswds/public_html/wp-admin/passwd" require valid-user </FilesMatch>
If your theme or plugin uses an admin-ajax.php file to work then add following code to a .htaccess file in the wp-admin directory.
# Allow plugin/theme access to admin-ajax.php <Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files>
You are all set now with providing an additional layer of security to your blog. Now, when someone tries to login or accessing the dashboard of your WordPress site/blog, he/she will get authentication required error.
Is this tutorial helpful for you? Let me know if you faced any issues in the comments sections below.