How to Password Protect WordPress Admin (wp-admin) Directory
Making WordPress secure by password protection on the wp-admin folder is a great way of keeping your WordPress site or blog away from the hackers. The question arises, “How to Password Protect WordPress Admin (wp-admin) Directory” If you use a strong password on the wp-admin login, is it safe enough or not ? The answer is that, Yes, it is safe from brute force attempts, but you are using a single layer of protection on your website. Lets suppose if some one by some trick have steal your wp-admin password, he/she can easily login and wipe away your every thing, your tons of articles and content etc. So single factor authentication means that between you and bad guys, there is only a single layer of security or protection. Now lets suppose, you are admin of your wordpress website, you have sent password reset email to your email address, can you answer how much secure is your email ? You are picking up your emails from some wifi hotspot, are you sure you are secure ? So, thats why we need to add another layer of security on your (wp-admin) Directory. So we are going to add another layer of security using your webserver’s htpasswd technology. You can apply this technique to every CMS whether it is Magento, Drupal, WordPress , Joomla etc by applying some minor tweaks.
The question arises, Why htpasswd is better than another PHP driven single factor authentication layer :
“htpasswd” basic authentication system provides us two great advantage over most WordPress other security plugins.
- It challenges user before serving the request for the page:
This means it don’t allows processing of any PHP of SQL query unless the server authenticates that user. This is useful when your server is under the Brute Force attack, the apache server automatically stops all the requests and this saves a lot of CPU cycles incase your website is under attack.
- The Server logged all Authentication failures in the error_log file
(/var/log/httpd-error.log or for cPanel servers /usr/local/apache/logs/error_log) . So if you have a login failure tracekr like LFD or BFD, then attacker will only get a few bites of information and will be banned by your server’s firewall automatically. A network level ban is far better than one engineered by the application level.
Some day ago, Hostgator suggested us to password protect our wp-admin directory after observing some suspicious activity on our website. Apparently some of the world’s most popular websites like Mashable are also doing the same. In this article, we will show you “How to Password Protect WordPress Admin (wp-admin) Directory”. To make things easy and simple, we will discuss only cPanel web hosting companies only because cPanel has an easy and user friendly enough interface to add password protected directories.
First login to your cPanel. And move down until you reach the security tab and click on “Password Protect Directories”
When you click over that, a page will open asking you the directory location . Click there webroot and navigate to that folder where your WordPress is hosted . and click on /wp-admin/ folder, you will find a screen like this.
Here you can mark or check this box to make this directory password protected. Thats you have done it. Now whenever
you will try to open you wp-admin directory. You will see a user authentication dialogue box. Thats it.