Resources     Blog  

  1. Home
  2. WordPress Tutorials
  3. How to Password Protect Your WP-Admin Directory

How to Password Protect Your WP-Admin Directory

Do you want to add an extra layer of protection to your wp-admin directory? It is very common to password protect the wp-admin directory. You may already think that it is safe because it already requires a password to access it, but it is very common to have multiple people have access to the cPanel, where the directory is stored.

The cPanel is essential to performing maintenance and customizing themes and plugins. Staff members who are in charge of these sections will need access to the cPanel at one point or another. Once they do have access, there is nothing stopping them from accessing the wp-admin directory. Today, I will demonstrate how to password protect your WordPress admin directory.

Why Password Protect the WP-Admin Directory

WordPress security is one of the most important topics you need to consider and implement on your website. Many larger websites get targeted by cyberattacks on a daily basis and unfortunately, sometimes the security is not enough. Adding multiple layers of authentication can help guard your information and allow you to know that the attack is in progress and possibly slow down the attackers.

Adding passwords does not just help prevent cyber attacks, but it also prevents employees with access to your cPanel from accessing something they shouldn’t. In fact, you may want to set up passwords on other important directories or maybe even everything to be careful, but this is a bit overkill. There should always be a level of trust among staff members, but cPanel is extremely important to running a website and stores a lot of important data for you and your visitors.

How to Password Protect Your WP-Admin Directory

Today, I will demonstrate how to password protect your WordPress admin directory. The cPanel has many built-in safeguards like password protected directories, but by default, they are not activated. They are extremely easy to set up and should not take longer than five minutes. You will need access to the cPanel for your website, which is provided by your web host when you create an account.

Log into your cPanel and look in the Files section. Click on the Directory Privacy option. This is where you can password protect any directory on your cPanel.

Click on the Directory Privacy option.

You will see a list of directories. Click on the folder icon next to the public_html directory. If you click on public_html you will be prompted to create a password instead.

Click on the public_html folder icon.

Inside this directory all of your WordPress content is stored. You can tell it is WordPress by the “wp-” prefix on the file names. Click on the wp-admin name to begin setting a password for the directory. If you click on the folder you will enter the folder instead of setting a password.

Click on the wp-admin name

Check the box that asks you to password protect this directory. The first text box will allow you to enter a name for the protected directory. Feel free to keep it named as wp-admin or something like Admins Only, etc. Click on the “Save” button when done.

Click on the "Save" button.

Your directory is now password protected. If you go back to where you saw the wp-admin folder in the Directory Privacy section, you will notice instead of a folder icon, it has a lock. If you need to give another person access to this directory it is quite easy. Below where you set the name of the folder, you will notice the option to create a new user. Fill out this section and click on the “Save” button to create the user.

Create a new user and click on the "Save" button.

Congratulations, your wp-admin folder is password protected. If you would like to do this for other directories, just repeat these steps, but I would recommend only doing root WordPress directories. It can become quite annoying to sign in to enter every single directory.

Trouble Shooting

Using password protection is not perfect. Many plugins use the Ajax functionality on the front end of their websites. This will essentially break the plugin because it cannot communicate with Ajax. If you do not use it, then you will not encounter this problem, but if you do, don’t worry there is a very easy fix. Open up the .htaccess file in the wp-admin folder. Insert the following lines to prevent this error from occurring:


<Files admin-ajax.php>
Order allow, deny
Allow from all
Satisfy any
</Files>

Another problem that could occur is the 404 error or “Too many redirects” error. These errors are also solved by placing a line of code in the .htaccess file. Insert the following line of code if you encounter these errors: 

 ErrorDocument 401 default

Keep Your Website Protected

The Internet is an amazing place, but it is not well protected. It falls on the web developers to guard their website against incoming threats. There are many great security plugins like WordFence that help guard against cyber attacks. Sometimes the threat is not always that far away. It’s not a pleasant thought, but sometimes employees are not looking out for the benefit of the website. This will also keep employees from stealing or damaging sensitive information found in the wp-admin directory.

Keep in mind if the worst should happen and your website is taken out of commission using a back up is a surefire way to restore your website, but your employees will still have all of your information and passwords so make sure to take the necessary actions.

Why have you chosen to password protect your wp-admin directory? Have you encountered any errors after setting up the password system?

Author: Ron Helms

I currently work for GreenGeeks as a Support Technician. My primary roles are supporting our VPS and Dedicated server clients, as well as performing site migrations. With experience in the web hosting industry since 2009, there is rarely a question I can’t help answer. In my spare time, I enjoy gaming and working on cars as an automotive enthusiast.

Was this article helpful?

Related Articles

Comments

  1. Hi guys,

    After the first user enumeration, brute force a security plugin will block that IP address.

    If you password protect the wp-admin directory the plugin can no longer block that IP. As a consequence such IPs will put a load on your server, slowing down website response time (or even taking it down).

    Is that a correct assessment?

  2. hi,
    I use chrome and in chrome the username and password field do not appear but in firefox it works.
    I have enabled Notifications for my domain name in chrome site settings.

    can You help me?

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.