Ready to take your WordPress blog’s security to the next level?… Recently, I have shown you how to change the WordPress login URL and make it a custom one. It will help us to deny access to unauthorized users. However, in that article, I have said you could protect the wp-admin directory with a username and password.
It will double the security of your blog.
and guess what… In this post, we are going to show you how you can password protect WordPress admin directory. Also how to make your blog more secure! Here, we have a step by step guide for all beginners!
Why Password Protection Is a Good Idea?
As I told in my previous article, WordPress (self-hosted) is the best CMS for creating blogs and websites. And right now, there are more than 75 million WordPress installations are active! Due to that fact, hackers will try gaining access to your blog through a core vulnerability or via an outdated plugin.
When a beginner starts a blog, probably he will not care about the security of his website. By password protecting the wp-admin directory, we could prevent unauthorized access to our admin page and also brute force attacks.
There are so many popular blogs and websites are already protected their admin page using this method!
Do We Need To Use Any WordPress Plugins?
Absolutely no.
There are a few WordPress security plugins are available like Sucuri Security, Wordfence, etc which will improve our overall WordPress security. For doing this, we don’t want to use any of them.
However, you could also consider a security plugin on your blog as a backup option. Personally, I would use and recommend Sucuri.
How To Password Protect WordPress Admin Section?
So, let’s begin.
You need to edit some of your files. For that, you need cPanel access or an FTP account and a client like FileZilla. In our case, we will always choose cPanel file manager for accessing the website files and for editing.
Just log in to the cPanel and find file manager.
Open the file manager and you could see all the website’s files.
From the cPanel’s settings, enable the hidden files.
Now, it will show you all the hidden files (files which starts with *.*)
Create a new file and name it. You could call it anything. In this case, we are going to name it .orhubpw. You must put the period (.) before the file’s name.
Now, edit the file.
and you will be landed on the editor. This is where we add and remove contents to the file.
great. Let’s move to the next step.
Creating Htpassword
For creating a Htpassword go to this website.
Enter your
- Username,
- Password
there and create a new Htpassword file.
and on the next page, you could see an encrypted password.
Copy the complete text from there and paste it in your .orhubpw file. Also, don’t forget to save the file.
Right. Next thing we need to do is, create a .htaccess file under the home directory. Not in the public_html folder. Just where we are right now.
You could create the .htaccess file just like we created the .orhubpw file.
Now, edit the .htaccess file.
Copy the code from below.
ErrorDocument 401 "Sorry. Unauthorized Access. You are not allowed to access /wp-admin/ page." ErrorDocument 403 "Forbidden" <FilesMatch "wp-login.php"> AuthName "Authorized Only" AuthType Basic AuthUserFile /home/username/.orhubpw require valid-user </FilesMatch>
You need to paste the code in your newly created htaccess file. Before saving it, we need to make some changes.
- Edit the cPanel username.
- Edit the .htpassword file name.
Let’s say that your cPanel’s username is Chris. Also, the htpassword file name is chrispw. The file location would be like AuthUserFile /home/Chris/chrispw. You may want to change it according to your location and username.
Once you saved the file, you are done!
So whenever someone tries to access your blog’s admin area, probably they will see a username and password box.
They won’t be able to see the log in page if they don’t have the right username and password. If they click on the cancel button, they will be redirected to the error message.
Cool, isn’t it?
Troubleshooting
You will not see an authentication box when you are already logged in to the blog. For testing it, you could try the admin URL in an incognito window.
If you really care about your WordPress blog’s security, you may want to consider something like this. This will take only 5 minutes to set up. However, fixing a hacked WordPress blog will cost $250/ hour when you hire an expert.
This basic security feature will protect your blog from small attacks!
That’s it! This is how you can password protect WordPress admin directory. If you got any issues, you could comment down or contact us. We’d be happy to help you! And don’t forget to add this pin to your Pinterest board.
Image Credits: Freepik
For more related posts, probably you need to check out our blog section.
