Home > Tutorials > Wordpress Tutorials > WordPress Security: Password Protect Your WordPress WP-Admin Directory

WordPress Security: Password Protect Your WordPress WP-Admin Directory

I had just mentioned how popular WordPress has gotten – coming close to a 50% market share among all CMS platforms – and I figured this would be a great time to write a quick tutorial on password protecting your WordPress admin login page. Now I want to mention that this will not prevent hacker attacks, nor prevent someone from gaining unauthorized access to your WordPress website because, quiet frankly, there are way too many ways for someone to do that – and we’re only talking about one of them here. This will however create a more secure admin login for your WordPress site by having double authentication.

Now there’s several ways to go ahead and do this depending on the hosting setup you have. If you’re on a hosting provider running cPanel than you’re in luck because you can accomplish this entire process without ever opening any code editor. Simply login to your cPanel and look for the Directory Privacy icon (Password Protect Directories on older cPanel versions).


Now this will give you a pop-up asking what set of folders you want to browse into. This initial lightbox does NOT select what directory you’re password protecting. Generally selecting your Web Root will be fine. You will now be brought to a page with a list of your directories. Clicking on the actual folder icon will browse into that folder; while clicking on the folder name will select that folder to be password protected. Navigate over to your wp-admin folder.


Selecting the folder will give you a set of options, one of the first one being to password protect this directory. Go ahead and enable that checkbox, select a username and password and you’re done!


The next time you try to access your /wp-admin/ folder you’ll be shown a login prompt where you will need to use the pre-selected username and password to login. Then you login again with your actual WordPress credentials. Bam – extra security through double authentication. If you don’t have cPanel – continue reading to see how to manually password protect your wp-admin directory. Otherwise proceed to the end of this post to ensure that you don’t break any themes or plugins by ensuring access to the admin-ajax.php file.

Now, if you don’t have access to cPanel don’t fret. You can still password protect your wp-admin directory you just need to do a bit more hands-on work. First off head on over to our HTACCESS Generator and choose the Basic Authentication option on the left side. Enter your desired username and password into the generator and click the middle CREATE button.


This will generate a line of text inside the .htpasswd field. Create a new file called .htpasswd and copy paste the generated text into there. Save this file somewhere on your server – ideally in a non web-accessible place. Now input the path to the newly created .htpasswd file into Step 2 on the generator and you’ll end up with code similar to the following:

deny from all
AuthUserFile /home/foo/bar/
AuthGroupFile /dev/null
AuthName "Please enter your ID and password"
AuthType Basic
require valid-user
order deny,allow

Add this to the .htaccess file inside your WordPress root directory and you’re done!

All that’s left now is to ensure we haven’t broken any theme or plugin functionality be ensuring that any frontend functions that require the use of admin-ajax.php will continue to work flawlessly. Since this file is located inside the wp-admin folder we need to tell the server to allow access to that file. We can accomplish this with the following code:

Order allow,deny
Allow from all
Satisfy any

About Michael Boguslavskiy

Michael Boguslavskiy is a full-stack developer & online presence consultant based out of New York City. He's been offering freelance marketing & development services for over a decade. He currently manages Rapid Purple - and online webmaster resources center; and Media Explode - a full service marketing agency.

Check Also

Looking to Fortify Your WordPress Website’s Security? Try MalCare Security Plugin!

30% of sites on the internet are being powered by WordPress today – making it ...

Like every other website, this site uses cookies to analyze our traffic. Cookies may also be utilized by our advertisers and partners. By using this website you agree to the use of said cookies. More Information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings, continuing to navigate past this message, or you click "Accept" below then you are consenting to the use of cookies on the Rapid Purple website.