Protect the WordPress Admin Area with htpasswd

Protect your WordPress admin area against hackers

I receive an awesome WordPress security question from Shannelle:

Ashley!

You’ve mentioned that you got to do a login page to access the real login page, and I was wondering, how did you do that? I’m being bothered by so many emails about people trying to access my site. Thanks!

Shannelle

This question is fully answered in the Make WordPress Your Bitch e-course, but I’ll also go over it here on the blog.

I protect my admin area with an “htpasswd” prompt.

Here’s what it looks like:

Htpasswd prompt box

This little box keeps all the asshats out.

If you look at the screenshot, you’ll see that I’m on the login page, right? But before the login page loads, a prompt comes up saying “Authentication Required”.

Before anyone can gain access to the WordPress login form, they first have to pass this second security check. See where I’m going with this?

They have to fill out a different username and password BEFORE they can access the normal login form. That means, in order to gain access to my admin panel, you have to know two different username and password combinations. This immediately doubles my security.

How to set up an htpasswd prompt in cPanel

This tutorial assumes that your host uses cPanel. Most do, but if you’re not sure you can ask your web host.

In my above example, I’ve actually protected the wp-login.php page because that’s what I prefer for my own site. But for the sake of creating a simpler tutorial to follow, we’re actually going to protect the entire /wp-admin/ directory. You’ll notice that the whole admin area has /wp-admin/ in the URL, so we’re basically protecting all those pages.

Because of this difference, the process will actually be reversed for you.

  1. First they get the WordPress login.
  2. After SUCCESSFULLY getting through that, they THEN get the htpasswd box.
  3. They cannot access the admin area until getting through the htpasswd prompt.

I prefer my method where the htpasswd box comes first and WordPress login comes second, but that involves protecting a file. If I’m being honest, I have no idea how to do a tutorial for that in cPanel. My site doesn’t use cPanel (I have a dedicated server and do everything through command prompt).

So in order to provide a tutorial that most people can follow (using cPanel) I have to use a different method.

But ultimately we’re offering the same protection—it’s just happening in a different order.

Also, a quick disclaimer: this is kind of an “advanced” tutorial (sort of). By that I mean, setting it up incorrectly could affect your site’s accessibility. You’re not running the risk of DELETING anything, but you could make your site inaccessible if you mess up. Just be careful! If you run into any problems, talk to your web host.

Step #1: Login to cPanel

Login to cPanel with your web host. Scroll down and look for the section called “Security”. Then click the icon named Password Protect Directories.

Password Protect Directories in cPanel

Step #2: Choose the directory

As soon as you click that icon, you’ll get a popup box that looks like this:

Password Protect Directories - directory selection

Select Web Root and click Go.

You will be brought to a new page that lists the directories in your root. You want to choose wp-admin.

Choose the wp-admin directory in the file browser

Step #3: Set your username and password

Finally, you will be brought to this next page:

Set your htpasswd username and password

There are a few things you need to do:

  1. Check the box to “Password protect this directory”.
  2. Enter a name. This can be anything. It’s just a message that appears in the prompt.
  3. Create a new user: set a username and password. This is what you will need to enter in the login prompt each time. Be sure to save these details in 1Password or LastPass so you don’t forget them!

Save all your changes once you’ve filled them out.

Step #4: Test it!

Once you’re done, the protection should be in place. Visit http://yoursite.com/wp-admin to confirm. The prompt should come up! Now you’ve got an extra layer of protection. GO YOU!

Looking for more security advice and WordPress tips?

This lesson is from the free Make WordPress Your Bitch e-course. Sign up for more free goodies like this one!

Sign up for
Make WordPress Your Bitch

What kind of security do YOU have in place for your blog?

Photo of Ashley
I'm a 27 year old California girl living in England (I fell in love with a Brit!). I like to inject a little #girlpower into the WordPress development community by teaching women how to be coding badasses. more »

Don't miss my next post!

Sign up to get my blog posts sent directly to your inbox (plus exclusive store discounts!).

You might like these

Leave a Reply

(Enter your URL then click here to include a link to one of your blog posts.)

18 comments

  1. Wow Ashley… I wished I had your brain.. not that I’m a zombie or anything, LOL I have had so many attempts by hackers to get my site.. I did install a different plugin, so if that doesn’t work, I’ll 100% be doing your method.. What loosers they are.. don’t they have something else to do with their time, like be NICE people? GEEEZ!

  2. Excellent!! Just what I needed, because I really hate having people just go directly to login page like that. I know there are plugins we can use to hide WordPress and such, but it usually changes stuff way too much and I can’t deal lol. But this is simple enough to just push the spammers away.
    (p.s. I don’t know why my email was misspelt in the last comments on your site, so disregard the above comment from Me lol)

    Sasha-Shae recently posted: 31 Days of Betterment
    1. Yeah I don’t really think you need to go through a whole thing of hiding WordPress from people. Just a few simple things will protect your site in a fantastic way. 🙂

      1. Hey Ashley! Question for ya, so I did the tut and it does totally work. Only thing is I’m seeing where the bypass/login thingy shows up on like every page I visit. Any ideas why it’s doing that? I set it specifically for the wp-admin folder of my site, but not sure why it shows up when I visit a post, etc. Any ideas how to fix that?

        Also, if we wanted to remove this hack, what’s the best way to do so?

        Sasha-Shae recently posted: 31 Days of Betterment
        1. I think you might have to talk to your web host about what might have gone wrong. It sounds like the wrong directory might have been selected somehow and they’d be in the best position to look into that!

          They should also be able to walk you through how to remove it.

          I wish I could help but I actually don’t use cPanel myself so there’s only so much I know about the process (for instance, I know how to add htpasswd but not sure what the steps are to remove it through cPanel). I go through a totally different process when I set it up on my own site!

          1. Don’t worry. I got it removed. Turns out simply unchecking the password protect this directory box and saving yet again removed it. I’ll talk with my host and find out why it was causing it to show on all pages of the site on the front end. Totally weird. I hope I can use this neat trick because the spammers love to try to hack or at least try to access into my site.

            Sasha-Shae recently posted: 31 Days of Betterment
  3. Hey Ashley, this tutorial seems interesting and I want to do it but I have a question first, is it normal to be asked to enter my password everytime that I need to access to my WP admin dashboard? Is there a way to be logged in always, as in Google or any social media account? If not, does that mean that I’ll have to enter 2 passwords after I implement this tutorial? Thanks in advance!

    1. Hi Maira,

      Most browsers have an option to remember passwords so you won’t be prompted every time. 🙂

      As for the WordPress login – that uses cookies. So if you’re being logged out every time, your cookies might be getting deleted, or you’re not checking the “remember me” box when you login.

      1. Thanks for your reply Ashley, actually my cookies are enabled, and the “remember me” box is checked, sometimes the password is there so I just click to access, but most times I have to type it. All my passwords are saved in Chrome and Firefox and yet I have to login always only in WP, the rest of the websites work ok. Anyway, I will ask for help in the WP forum and then I’ll try to implement this. Thanks for your time.

    1. That might be something you’ll have to talk to your web host about. It’s possible you selected the wrong directory or something is more generally not set up correctly on your account. Your host will be in the best position to look into that for you. 🙂

Recent Posts

    Random Posts