WordPress is one of the most popular open-source blog CMS and thus is more prone to hack attacks. One of the most important and first step in protecting any WordPress installation is by protecting its wp-admin folder. Before protecting the wp-admin directory it has to be ensured that your admin password is strong enough. Thus, always ensure that your admin password is very safe and secure and keep changing it at regular intervals of time. Now let’s dive into securing our wp-admin directory.
Disclaimer: This method works only on Apache. Adding an extra layer of server side security will always protect your WordPress installation against malicious people who are trying to gain access to your WordPress admin panel. In this article, we will see how can we add an extra layer of http basic authentication using .htaccess on Apache
To password protect your WordPress admin area you have to create an Apache htpasswd file. The .htpasswd file is like a database of usernames and passwords which the web server will use to authenticate users. You can create such file by using an online password file generator or by referring to the How to create an Apache password file htpasswd tutorial.
Once you create an htpasswd file, you also have to create an .htaccess file which should be uploaded to the wp-admin directory of your WordPress installation. If there is no .htaccess file in your website’s wp-admin directory you have to create a new one. If there is already an .htaccess file, make a backup copy and edit the existing one.
Note: Sometimes .htaccess files might not be visible in your FTP client. You need to enable option in your FTP client to show hidden files and folders.
Some operating systems such as Windows do not allow you to create a .htaccess file. In such cases use an advanced text editor to create a new file. Once you create your new file, add the below content to your .htaccess file:
# enable basic authentication AuthType Basic # this text is displayed in the login dialog AuthName "Restricted Area" # The absolute path of the Apache htpasswd file. You should edit this AuthUserFile /path/to/.htpasswd # Allows any user in the .htpasswd file to access the directory require valid-user
Save the file and upload it to your WordPress wp-admin directory. Once it is set up, anyone who tries to access http://[yourdomain.com]/wp-admin/ or try to login to the WordPress dashboard, they have to first authenticate with the Apache web server before accessing the WordPress dashboard login page.
As we have seen above implementing basic authentication to protect your WordPress wp-admin directory is a straight forward process. If after implementing web server authentication you try to access the wp-admin directory and you receive an HTTP 500 Error, Internal Server error, the problem is the password file path specified in the AuthUserFile directive. This path you specify should be the full absolute path from the absolute root of the server.
Some WordPress plugins use Ajax functionality in WordPress. This means that such plugins might need access to the file admin-ajax.php which can is found in the wp-admin directory. To allow anonymous access to such file for the WordPress plugins to function, add the below to the .htaccess file you just created in this tutorial.
<Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files>