Everything related to the Password Protecting WordPress Admin folder is discussed here. We have also mentioned the right way to do it. We have seen folks protecting Admin folders while their wp-login.php is still exposed. It is also required to bypass this protection for AJAX.php which is essential for Premium Themes and WooCommerce sites. This is probably the only guide you ever need.
We all know that ‘.htaccess’ is the file that controls the whole site configuration. It is the connecting file between the web server and the website. Any requests to the folders on the website have to be passed through the htaccess file. If any rule is written against the request, that request will never be executed.
Password Protecting Admin directory has benefits as well as problems which we will discuss altogether. We will also try to figure out a solution for you. Let us know in the comments if you face any problems.
You can only have a single htaccess file in a single folder. If there are subfolders, you can add sub-htacess file in the respective folder. htaccess applies only to the folder in which it is present.
Before we start, just confirm that wp-admin / wp-login.php is accessible to the public and is not blocked by any other Plugins or Firewall. Now let’s continue.
Set default .htaccess
We need WordPress .htaccess as its default. If you have manually added any lines, just comment them with ‘#’ at the beginning of the line or, just delete them after having a copy downloaded to your computer. If your ‘.htaccess’ file is not in its default, follow the below steps to set it to default.
Login to your hosting account’s File Manager. Find the .htaccess file in the root directory. i.e the public_html folder. Download a copy of it to your PC. Once downloaded, delete it.
Let’s generate a new ‘.htacess’ file now by logging in to the WordPress dashboard. Once in the dashboard, go to settings, select Permalinks, and click on save. This will generate the default WordPress .htaccess file. Verify it in ‘public_html’ folder. You should see the new .htaccess file.
Adding Rules to .htaccess
Add the below lines to the .htaccess file after the default WordPress lines end. Never delete the default lines generated by WordPress. If you do so, your security will be compromised.
# Deny access to wp-login.php
<Files wp-login.php>
AuthUserFile /path to .htpasswd
AuthName "Admins Only"
AuthType Basic
require valid-user
</Files># Deny access to wp-login.php
<Files wp-login.php>
AuthUserFile /path to .htpasswd
AuthName "Admins Only"
AuthType Basic
require valid-user
</Files>In our case, it looks like this. You have to link to the correct .htpasswd path. (We will do that in the next step) This varies from hosting to hosting. For any issues, contact your host. They will definitely help 🙂
# Deny access to wp-login.php
<Files wp-login.php>
AuthUserFile /home/ourhostid/domains/wpclimax.info/public_html/.htpasswd
AuthName "Admins Only"
AuthType Basic
require valid-user
</Files># Deny access to wp-login.php
<Files wp-login.php>
AuthUserFile /home/ourhostid/domains/wpclimax.info/public_html/.htpasswd
AuthName "Admins Only"
AuthType Basic
require valid-user
</Files>Now if you Login to your WordPress in a guest window, it will promote you to enter your Username and Password. Since there is no username and password generated, you will not be able to login. So now let us generate the .htpasswd file, which will contain your credentials.
Visit this Tool to Generate .htaccess Password: (Links to 3rd Party Website) web2generators
Enter the username and password you wish to have on your site. For security reasons, never keep it the same as WordPress credentials. Once done, copy the content that is generated on their website to your Clipboard.
Create a file in your ‘public_html’ folder ONLY, with the file name ‘.htpasswd’
Once the file is created, add the credentials you generated from the web2generators website and save it. Make sure that the path to htpasswd file is correctly mentioned in htaccess, else you will not be able to login.
That’s it. Now when to enter your site’s login URL, obviously it will ask you for your username and password. Enter the same details you used in the web2generators website.
It is very important to add the below lines of code after the ones you added end, These lines will protect the .htaccess file and the .htpasswd file you just created. Hacking Softwares are advanced enough to crack .htpasswd if they get hands-on.
# Deny access to all .htaccess files
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files># Deny access to all .htaccess files
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>Viola! You have now successfully password-locked wp-login.php the right way. Now, let’s see what the wrong way is!!.
The Wrong Way
I have seen folks using Password Lock for the wp-admin folder using the below htaccess lines.
AuthType Basic
AuthName "Restricted Access"
AuthUserFile /home/ourhostid/domains/wpclimax.info/public_html/wp-admin/.htpasswd
Require valid-userAuthType Basic
AuthName "Restricted Access"
AuthUserFile /home/ourhostid/domains/wpclimax.info/public_html/wp-admin/.htpasswd
Require valid-userYou have to place this code inside the wp-admin folder in order to work. You have to create a new .htaccess file inside the respective folder.
With this above code, you are protecting only the wp-admin directory. Not the wp-login.php. If you ever did this, correct with the above method. Just to let you know, if the ‘wp-admin’ folder is password-protected, when you login, you will be prompted for htaccess credentials. Hmm.Ok.
Wait! did you try logging into your website with /wp-login.php instead of wp-admin?
Oops!! You are on the WordPress login page!! See how your wp-login.php is exposed.?
Some folks still don’t understand that /wp-admin and /admin will always redirect to /wp-login.php. If you know someone who follows this method, kindly share this article.
General Info
If you lock your wp-admin folder, admin-ajax.php will not work. You have to bypass that with another rule to make it work. This adds some extra lines of code.
There is no benefit from password locking the wp-admin folder. This folder is where the core files of WordPress make the whole site run. Do not restrict its files and hamper its functions.
WordPress is already Secure in itself.
When you add lines of code in your htaccess file, the file becomes heavy. When any request is passed to your site, it has to pass through htaccess file which will make your site load slower.
When there are multiple htaccess files, the requests have to pass through multiple ht checks. This even makes your site run slower.
When you protect wp-login.php, that is simply not the final solution. You also have to block access to xmlrpc.php. For more details, read our article on, 4 Ways to Disable xmlrpc.php in WordPress.
Hackers, just shift their Brute-Force scripts to XML-RPC if the login page is blocked.
Huge Problem
When you add password lock for wp-login.php, you simply cannot log out. Does that make any sense? What if you want to access another user’s account?
If limited people are working on your site, that’s fine. Just inform them that they can’t log out and jsut need to close the browser to exit. What if you run E-Commerce sites? Membership Sites? Do you say the same with your customers? Of course not!
Hence in my opinion, (I respect your opinion too, but I am concerned more about WP speed and security) Password Protecting Admin Folder or /wp-login.php through ‘.htaccess’ is not the “Not The Right” way to secure any WordPress website against Brute-Force.
Instead, install a domain-level firewall with all the protection rules you need. Please read our article on Protecting wp-login.php using Cloudflare Firewall for Free!