I had just mentioned how popular WordPress has gotten – coming close to a 50% market share among all CMS platforms – and I figured this would be a great time to write a quick tutorial on password protecting your WordPress admin login page. Now I want to mention that this will not prevent hacker attacks, nor prevent someone from gaining unauthorized access to your WordPress website because, quiet frankly, there are way too many ways for someone to do that – and we’re only talking about one of them here. This will however create a more secure admin login for your WordPress site by having double authentication.
Now there’s several ways to go ahead and do this depending on the hosting setup you have. If you’re on a hosting provider running cPanel than you’re in luck because you can accomplish this entire process without ever opening any code editor. Simply login to your cPanel and look for the Directory Privacy icon (Password Protect Directories on older cPanel versions).
Now this will give you a pop-up asking what set of folders you want to browse into. This initial lightbox does NOT select what directory you’re password protecting. Generally selecting your Web Root will be fine. You will now be brought to a page with a list of your directories. Clicking on the actual folder icon will browse into that folder; while clicking on the folder name will select that folder to be password protected. Navigate over to your wp-admin folder.
Selecting the folder will give you a set of options, one of the first one being to password protect this directory. Go ahead and enable that checkbox, select a username and password and you’re done!
The next time you try to access your /wp-admin/ folder you’ll be shown a login prompt where you will need to use the pre-selected username and password to login. Then you login again with your actual WordPress credentials. Bam – extra security through double authentication. If you don’t have cPanel – continue reading to see how to manually password protect your wp-admin directory. Otherwise proceed to the end of this post to ensure that you don’t break any themes or plugins by ensuring access to the admin-ajax.php file.
Now, if you don’t have access to cPanel don’t fret. You can still password protect your wp-admin directory you just need to do a bit more hands-on work. First off head on over to our HTACCESS Generator and choose the Basic Authentication option on the left side. Enter your desired username and password into the generator and click the middle CREATE button.
This will generate a line of text inside the .htpasswd field. Create a new file called .htpasswd and copy paste the generated text into there. Save this file somewhere on your server – ideally in a non web-accessible place. Now input the path to the newly created .htpasswd file into Step 2 on the generator and you’ll end up with code similar to the following:
deny from all AuthUserFile /home/foo/bar/ AuthGroupFile /dev/null AuthName "Please enter your ID and password" AuthType Basic require valid-user order deny,allow
Add this to the .htaccess file inside your WordPress root directory and you’re done!
All that’s left now is to ensure we haven’t broken any theme or plugin functionality be ensuring that any frontend functions that require the use of admin-ajax.php will continue to work flawlessly. Since this file is located inside the wp-admin folder we need to tell the server to allow access to that file. We can accomplish this with the following code:
Order allow,deny Allow from all Satisfy any