It is better to protect WordPress Admin to save your blog from invalid login attempts and gives an extra layer of security.
In this article, we will show you a step by step guide on how to password protect your WordPress admin (wp-admin) directory. It will prevent your WordPress blog from unauthorised wp-admin and login attempts. So let’s start.
How to protect WordPress wp-admin and wp-login.php attempts
1. Login to your Cpanel and click on Password protected Directories under Security section.
2. Select your document root directory and click go. On next screen Click on wp-admin directory name.
3. Check the box ‘Password protect this directory’. Give the name to the directory and click save.
Your wp-admin directory is now password protected. Click on Go back button from next screen this will redirect you to the previous screen. Now we will create the user for this directory.
4. For this, Enter User Name and Password and click on ‘Add or Modify the Authorised User button’. You can use Password generator for strong password.
Now when you try to access your wp-admin directory, you should see an authentication required box. If you have redirect loop instead of authenticated box. Put the following lines in the .htaccess file just before the “# BEGIN WordPress” tag.
ErrorDocument 401 default ErrorDocument 403 default
5. Now go to file manager>>wp-admin>>.htaccess. Now we provide the access to admin-ajax file which will necessary for some plugins to work efficiently. Put the following code in the .htaccess file of wp-admin folder.
# Allow plugin access to admin-ajax.php around password protection <Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files>
6. Copy the following code from “/public_html/wp-admin/.htaccess” file.
AuthType Basic AuthName "Secure Dir" AuthUserFile "/home/example/.htpasswds/public_html/wp-admin/passwd" require valid-user
7. and paste it in the “/public_html/.htaccess” file between the ‘FilesMatch’.
<FilesMatch "wp-login.php"> AuthType Basic AuthName "Secure Dir" AuthUserFile "/home/example/.htpasswds/public_html/wp-admin/passwd" require valid-user </FilesMatch>
8. Now click on save changes and all done. Try to login on WordPress Admin Dashboard and you will get Security Authenticated Box.
Now Both your .htaccess files should look like:
/public_html/.htaccess
ErrorDocument 401 default ErrorDocument 403 default <FilesMatch "wp-login.php"> AuthType Basic AuthName "Secure Dir" AuthUserFile "/home/example/.htpasswds/public_html/wp-admin/passwd" require valid-user </FilesMatch>
/public_html/wp-admin/.htaccess
# Allow plugin access to admin-ajax.php around password protection <Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </files> AuthType Basic AuthName "Secure Dir" AuthUserFile "/home/example/.htpasswds/public_html/wp-admin/passwd" require valid-user
Now your WordPress Admin login has an extra layer of security and it prevents unauthorised login attempts. When someone tries to login to your dashboard he has to pass valid authentication. If the user enters invalid credentials he will get Authorisation required error.