The admin directory in WordPress contains a lot of important information like the login page or your site’s plugin management, which is why many websites choose to password-protect it to increase site security.
While you may think that since you need a password to access the cPanel, it is already password protected, but that’s not true. Many websites actually have multiple users accessing the cPanel, thus any of them can tamper with these files.
As such, many site owners choose to limit access to these files to necessary personnel, or exclusively to themselves by password-protecting them. Essentially, if you don’t have the password, you cannot access these files.
Today, I will demonstrate how you can password-protect the admin directory for WordPress.
Why Password Protect the Admin Directory?
The admin directory contains critical files that allow your website to function. If these files were to be accessed by a malicious actor, it could easily disrupt or make your site inaccessible. As such, protecting it is critical for success.
Unfortunately, as the most popular CMS in the world, WordPress has a big target on its back.
As such, sites that use it are the target of cyber-attacks. At its core, WordPress has no vulnerabilities if it is properly updated, but hackers still find a way in. Password-protecting the directory is a great way to slow them down when they do get inside.
All this entails is that once a user gets inside the cPanel to access these files, they must input a password to gain access. It’s no different than when you log into your account to access the backend of WordPress.
Failure to do this makes it easier for malicious actors to disrupt your site and cause massive damage to the business.
With that said, skilled hackers can get around this once they are inside. As such, it is not a foolproof strategy, and you should have other safeguards in place to keep your data secure.
How to Password Protect Your Admin Directory
Protecting the admin directory fo WordPress with a password is actually really straightforward. Anyone can do it and it only takes a few minutes. To do this, you will just need access to your website’s cPanel.
This information is provided to you when you sign up for a web hosting account. Contact your web host if you have trouble accessing the cPanel. Let’s get right into it.
Step 1: Locate the Directory Privacy Options
The cPanel provides a dedicated area for password-protecting directories for your site. To locate it, log into your cPanel and locate the Files section. Once there, click on the Directory Privacy option.
Step 2: Choose the Directory to Protect
When entering this area, you will see a full list of every directory from your website. On the right side of each directory, there are two columns. The first is telling you if the directory is currently password-protected.
And the second is an “Edit” button that will allow you to password-protect that directory. In this case, we want to protect the wp-admin directory with a password for access. Thus, the first thing we need to do is locate this file. Click on the public_html folder.
Inside this directory, all of your WordPress content is stored. You can tell it is WordPress by the “wp-” prefix on the file names. Locate the wp-admin folder and click on the “Edit” button next to it.
Step 3: Password Protect WordPress
The next page is where you can enable password protection for the directory and create the password. First, you need to check the “Password protect this directory” box to enable it.
When you check the box, you will now be able to enter a name for the password-protected directory. By default, it will just be “Protected ‘public_html/wp-admin'” and you can leave it like that or edit it. Click on the “Save” button to continue.
This will enable the password protection for the directory. Click on the “Go Back” option and you will see a new section titled “Create User” that you can now fill out. This is the user that can access the files.
Enter a name and then the password that will be used. Be sure to use a strong password. The Password Generator will generate one for you if you are having trouble. Click on the “Save” button to finish.
And that’s it. You have just learned to password-protect your WordPress site. As you can see the process is quite easy to go through and ultimately, anyone can do it. You can also use these steps to password-protect other directories if you desire.
What About Coding This Feature?
It is entirely possible to code in password protection using the .htaccess file, however, I wouldn’t recommend this for beginners.
This process not only requires you to add code to the .htaccess file but to also generate a .htpasswd file that stores this data. Naturally, it is easy to mess this up, which could inadvertently lock you out of the wp-admin directory.
If you do choose to go with the coding method, I highly recommend creating a backup of your site. This will ensure that if you do make a mistake, you can simply restore your site using the backup and try again.
With all of this said, the actual code is quite simple, and anyone with a basic understanding of coding should have very little trouble doing so. For those interested, the code you need to add to the .htaccess file is:
AuthName "Admins Only" AuthUserFile /home/user/public_html/yourdomain.com/wp-admin/.htpasswd AuthGroupFile /dev/null AuthType basic require user ausername
You would then just need to generate a .htpasswd file, but luckily, there are several tools available online that can do this for you. For example, this tool will just ask you to enter a username and password and generate the file for you.
Then you just need to add this to your directory and you’re done. You can edit this file at any time to change the password. If you wish to remove this, simply remove the code you added to the .htaccess file and delete the .htpasswd file.
Overall, it is not hard, but the method showcased above is easier and less risky.
FAQ
Yes. Simply go back to the Directory Privacy section and locate the directory your password protected. Edit it and uncheck the password protect box and the directory will no longer require a password.
No. This is more of a last line of defense than a starting point. Your goal should be to prevent malicious actors from ever getting into your cPanel to begin with by implementing strong passwords and security tools.
Yes. A good option is the WPS Hide Login plugin. This tool essentially changes the URL of the login area of WordPress. Typically, all breaches stem from someone being able to log into your site, thus hiding the login is a great strategy to prevent this.
Password-protecting a directory is not foolproof. It is possible that changing the name of the directory or denying certain tools access to these files can break something. It completely depends on how your website is structured.
There is no set number. Instead, access should be limited to the necessary staff that need access to these files, which is usually quite small. Like most things in WordPress, only gives users access to what they absolutely need.
Keep Your Website Protected
Unfortunately, the internet is not a nice place. Every day, 30,000 websites are hacked with nearly half of them belonging to small businesses. As such, you need to take the proper precautions to protect your data and the data of your customers.
There are several ways to improve the security of your WordPress install and you should do them immediately. The moment your website gets hacked, it is too late to prevent damage from being done to your website, or even worse, your customer base.
It is nearly impossible to recover the trust of your customers if they have been impacted by a security breach on your end.
As such, you need to do everything within your power to keep your site protected, and learning to password-protect the admin directory is a great starting point.
Did you password-protect any other directories in WordPress? How easy did you find this process?
Hi guys,
After the first user enumeration, brute force a security plugin will block that IP address.
If you password protect the wp-admin directory the plugin can no longer block that IP. As a consequence such IPs will put a load on your server, slowing down website response time (or even taking it down).
Is that a correct assessment?
hi,
I use chrome and in chrome the username and password field do not appear but in firefox it works.
I have enabled Notifications for my domain name in chrome site settings.
can You help me?