Password Protect your WordPress Admin Folder

WordPress websites and blogs are prone to Brute Force attacks and a recommended way to prevent your site against such attacks is to protect your wp-admin folder with a password. Let me explain.

Your WordPress installation directory has three main folders:

  • the wp-content folder includes all your themes, plugins, images and other uploaded files.
  • the wp-includes folder includes all the PHP functions that actually run WordPress.
  • the wp-admin folder is the front-end for WordPress admin, authors and and other members.

Unlike the public HTML pages and images of your WordPresss website, the Admin dashboard area requires a username and password and is thus accessible only to “authorized” users. However, to make your WordPress more secure, you can add an extra layer of security to the wp-admin folder so that even authorized users can’t just get in with their WordPress passwords.

Secure wp-admin directory of WordPress with a Password

Here’s a step by step guide on how to password protect the wp-admin folder of WordPress. This assumes that you have installed WordPress on a Linux machine with the Apache web server.

Step 1. Log in to your Linux shell and create a new directory that is not accessible from the web. For instance, if your WordPress is installed in /home/peter/, you can create a folder as /home/peter/admin (you can give any name).

$ mkdir /home/peter/admin

Step 2. Now we need to specify the username and password that will protect the wp-admin folder. This is independent of your Linux shell user name or your WordPress user.

Run the following command and remember to replace username with another name.

$ htpasswd -c /home/peter/admin/passwords username

Step 3. The above command will create a passwords file inside the /home/peter/admin folder. You can run the “cat” command to view the encrypted htaccess password stored in the passwords file. Next we need to tell Linux to use this password to protect the wp-admin folder.

Go to your WordPress admin folder (at /home/peter/ and create a new .htaccess (use the vi command or create the .htaccess file on your desktop and upload it to wp-admin folder using FTP).

Also see: Improve WordPress Security with Plugins

Step 4. Paste the following text into your new .htaccess file and replace the folder path in Line #3 with your own actual path. Save the changes.

AuthType Basic
AuthName "WordPress Protected Area"
AuthUserFile /home/peter/admin/passwords
Require valid-user
<Files admin-ajax.php>
  Order allow,deny
  Allow from all
  Satisfy any
<Files "\.(css|gif|png|js)$">
  Order allow,deny
  Allow from all
  Satisfy any

Step 5. Switch to the WordPress root folder (/home/peter/, open the .htaccess file for editing and add the following lines outside the #BEGIN WordPress and #END WordPress block.

#Do not display Authorization Error Message
#Instead, redirect to the blog home page
ErrorDocument 401 /

Save the file and you are done. All users of your WordPress (including you) will now have to enter two passwords to access the WordPress Admin dashboard.

See more Linux Commands for WordPress.


Prevent Image Hotlinking

Put this piece of code in your .httaccess file on the Apache web server and it will automatically block all image requests coming from specified domains.

The website requesting the image resource will be returned a 403 Forbidden error.

 RewriteEngine On
 RewriteCond %{HTTP_REFERER} ^http://(www\.)?example\.ru(/.*)*$ [NC,OR]
 RewriteCond %{HTTP_REFERER} ^http://(www\.)?example\.cn(/.*)*$ [NC,OR]
 RewriteCond %{HTTP_REFERER} ^http://(www\.)?leecher\.com(/.*)*$ [NC]
 RewriteRule \.(jpeg|JPEG|jpe|JPE|jpg|JPG|gif|GIF|png|PNG)$ - [F]