WordPress websites and blogs are prone to Brute Force attacks and a recommended way to prevent your site against such attacks is to protect your wp-admin folder with a password. Let me explain.
Your WordPress installation directory has three main folders:
- the wp-content folder includes all your themes, plugins, images and other uploaded files.
- the wp-includes folder includes all the PHP functions that actually run WordPress.
- the wp-admin folder is the front-end for WordPress admin, authors and and other members.
Unlike the public HTML pages and images of your WordPresss website, the Admin dashboard area requires a username and password and is thus accessible only to “authorized” users. However, to make your WordPress more secure, you can add an extra layer of security to the wp-admin folder so that even authorized users can’t just get in with their WordPress passwords.
Here’s a step by step guide on how to password protect the wp-admin folder of WordPress. This assumes that you have installed WordPress on a Linux machine with the Apache web server.
Step 1. Log in to your Linux shell and create a new directory that is not accessible from the web. For instance, if your WordPress is installed in
/home/peter/example.com/wordpress, you can create a folder as
/home/peter/admin (you can give any name).
$ mkdir /home/peter/admin
Step 2. Now we need to specify the username and password that will protect the wp-admin folder. This is independent of your Linux shell user name or your WordPress user.
Run the following command and remember to replace username with another name.
$ htpasswd -c /home/peter/admin/passwords username
Step 3. The above command will create a passwords file inside the /home/peter/admin folder. You can run the “cat” command to view the encrypted htaccess password stored in the passwords file. Next we need to tell Linux to use this password to protect the wp-admin folder.
Go to your WordPress admin folder (at
/home/peter/example.com/wordpress/wp-admin/) and create a new
.htaccess file - (either use the vi command or create the .htaccess file on your desktop and upload it to wp-admin folder using FTP).
Also see: Improve WordPress Security with Plugins
Step 4. Paste the following text into your new .htaccess file and replace the folder path in Line #3 with your own actual path. Save the changes.
AuthType Basic AuthName "WordPress Protected Area" AuthUserFile /home/peter/admin/passwords Require valid-user <Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files> <Files "\\.(css|gif|png|js)$"> Order allow,deny Allow from all Satisfy any </Files>
Step 5. Switch to the WordPress root folder (/home/peter/example.com/wordpress), open the .htaccess file for editing and add the following lines outside the #BEGIN WordPress and #END WordPress block.
#Do not display Authorization Error Message #Instead, redirect to the blog home page ErrorDocument 401 /
Save the file and you are done. All users of your WordPress (including you) will now have to enter two passwords to access the WordPress Admin dashboard.
See more Linux Commands for WordPress.