How to Password Protect WordPress Admin Directory?

Posted on the 11 February 2022 by Nirmalkumar1997

Ready to take your WordPress blog’s security to the next level?

Recently, we have shown you how to change the WordPress login URL and make it a custom one. It will help us to deny access to unauthorized users. However, in that article, we have said you could protect the wp-admin directory with a username and password.

It will double the security of your blog.

And guess what… This post will show you how you can password protect the WordPress admin directory. Also, how to make your blog more secure! Here, we have a step-by-step guide for all beginners!

Why Password Protection Is a Good Idea? Why Password Protection Is a Good Idea?

Our previous article says that WordPress (self-hosted) is the best CMS for creating blogs and websites. And right now, there are more than 75 million WordPress installations are active! Unfortunately, due to that fact, hackers will try gaining access to your blog through a core vulnerability or via an outdated plugin.

When a beginner starts a blog, probably he will not care about the security of his website. However, by password protecting the wp-admin directory, we could prevent unauthorized access to our admin page and brute force attacks.

Many famous blogs and websites are already protected their admin page using this method!

Do We Need to Use Any WordPress Plugins? Do We Need to Use Any WordPress Plugins?

Absolutely no.

A few WordPress security plugins are available, like Sucuri Security, Wordfence, etc., which will improve our overall WordPress security. However, we don’t want to use any of them.

However, you could also consider a security plugin on your blog as a backup option. Personally, we would use and recommend Sucuri.

How to Password Protect WordPress Admin Section? How to Password Protect WordPress Admin Section?

So, let’s begin.

You need to edit some of your files. For that, you need cPanel access or an FTP account and a client like FileZilla. In our case, we will always choose the cPanel file manager for accessing the website files and for editing.

Just log in to the cPanel and find the file manager.

Open the file manager to see all the website’s files.

From the cPanel’s settings, enable the hidden files.

Now, it will show you all the hidden files (files which starts with *.*)

Create a new file and name it. You could call it anything. In this case, we are going to name it .orhubpw. You must put the period (.) before the file’s name.

Now, edit the file.

And you will be landed on the editor. This is where we add and remove contents to the file.

Great. Let’s move to the next step.

Creating Htpassword Creating Htpassword

For creating a Htpassword, go to this website.

Enter your

  • Username,
  • Password

there and create a new Htpassword file.

And on the next page, you can see an encrypted password.

Copy the complete text from there and paste it into your .orhubpw file. Also, don’t forget to save the file.

Right. The next thing we need to do is, create a .htaccess file under the home directory. Not in the public_html folder. Just where we are right now.

You could create the .htaccess file just like we made the .orhubpw file.

Now, edit the .htaccess file.

Copy the code from below.

ErrorDocument 401 "Sorry. Unauthorized Access. You are not allowed to access /wp-admin/ page."
ErrorDocument 403 "Forbidden"
<FilesMatch "wp-login.php">
AuthName "Authorized Only"
AuthType Basic
AuthUserFile /home/username/.orhubpw
require valid-user
</FilesMatch>

You need to paste the code in your newly created htaccess file. Before saving it, we need to make some changes.

  • Edit the cPanel username.
  • Edit the .htpassword file name.

Let’s say that your cPanel’s username is Chris. Also, the htpassword file name is chrispw. The file location would be like AuthUserFile /home/Chris/chrispw. You may want to change it according to your location and username.

Once you save the file, you are done!

So whenever someone tries to access your blog’s admin area, probably they will see a username and password box.

They won’t see the login page if they don’t have the correct username and password. If they click on the cancel button, they will be redirected to the error message.

Cool, isn’t it?

Troubleshooting Troubleshooting

You will not see an authentication box when you are already logged in to the blog. You could try the admin URL in an incognito window for testing it.

If you really care about your WordPress blog’s security, you may want to consider something like this. This will take only 5 minutes to set up. However, fixing a hacked WordPress blog will cost $250/ hour to hire an expert.

This primary security feature will protect your blog from small attacks!

That’s it! This is how you can password protect the WordPress admin directory. If you got any issues, you could comment down or contact us.