Password protecting the wp-admin directory

Several places recommend to block the WordPress admin area with a password. While this certainly is a good idea, implementing it properly is non-trivial.

One of the problems is that the WordPress Ajax handler script is located in the admin directory. So password-protecting the admin area will break all Ajax functionality your blog might be using on the frontend.

First, see this tutorial on how to password protect directories with an .htaccess file. Sivel has an example for whitelisting the Ajax handler, add these line to your .htaccess file:

# These are the lines that do the password protection.
# You probably already created them while reading through the tutorial linked above.
AuthUserFile /path/to/your/htpasswd
AuthType basic
AuthName "Restricted Resource"
require valid-user# This is the whitelisting of the ajax handler
<Files admin-ajax.php>
    Order allow,deny
    Allow from all
    Satisfy any 
</Files>

Please notice that you absolutely need to create the htpasswd file, see the linked tutorial above.

Update: /wp-admin/css/install.css is also sometimes needed on the frontend, you should whitelist that as well.Here's the necessary configuration to whitelist a file in a password protected location in lighttpd:

$HTTP["url"] =~ "^\/wp-admin\/.*" {
    $HTTP["url"] !~ "^\/wp-admin\/(admin-ajax\.php|css\/.*)" {
        auth.require = (
            "" => (
                "method" => "basic",
                "realm" => "Password protected area",
                "require" => "user=theuser",
            ),
        ),
    },
},

42 comments

  1. avatar
    wrote this comment on

    Great stuff...

    So to whitelist /wp-admin/css/install.css also would the correct syntax be:

    or

    ?

    Thanks,

    Anders

    1. avatar
      wrote this comment on

      Trying again :-)

      This:
      Files admin-ajax.php install.css

      Or this:
      Files admin-ajax.php css/install.css

      Thanks,

      Anders

      1. avatar
        wrote this comment on

        I think you need the path, relative to the htaccess, yes, if that's what you're asking ;-)

        1. avatar
          wrote this comment on

          Okay, got it working...

          Had to add another Files directive for the second file... without the path, so only the filename...

          1. avatar
            wrote this comment on

            Ok, thanks for the info!

  2. avatar
    wrote this comment on

    Starting lighttpd: parsing regex failed: ^\/wp-admin\/(admin-ajax\.php|css\/install\.css -&gt; missing ) at offset 47

    I added a ) between 'css' and '"'

    1. avatar
      wrote this comment on

      Oops, right :-)

  3. avatar
    wrote this comment on

    Okay, I'm a newbie at this. I'm trying to figure it out. I whitelisted the admin-ajax.php file yesterday and it worked fine. Today I just get a 404 error. I'm a little unsure of what to do now. I tried a couple of things trying to whitelist the css/install.css with no success. Help!

    1. avatar
      wrote this comment on

      It would help if you were using WordPress..

  4. avatar
    wrote this comment on

    I've been researching WP security for the last few days, as a new developer, going setting all of the above up to secure my wp-admin is going to take me a day or so to understand, test, and configure...

    I found this plugin and wondering what you're thoughts are on it?

    http://www.askapache.com/wordpress/htaccess-password-protect.html

    Thank you for the review.

    If the plugin is "passes" it might be a great tools to speed up the process for others.

    1. avatar
      wrote this comment on

      I wouldn't recommend to use that, see also http://codex.wordpress.org/Hardening_WordPress#Resources

  5. avatar
    wrote this comment on

    Thanks Nicolas. Majority of the posts were about people being locked out of wp-admin. If I wanted to hire you to help me setup my wp-admin protection, what would I expect to pay you for your service? Could you also teach me via my webinar account how to do it myself?

    1. avatar
      wrote this comment on

      I will answer all of your questions if you send me an email. Please use my contact form :-)

  6. avatar
    wrote this comment on

    I also found this... what's the flaw if any in following this advice? http://www.squidoo.com/wordpress_security#module63921672

    1. avatar
      wrote this comment on

      I reviewed the steps they suggested on this squidoo page and I've seen them before in the WordPress forums. All of these steps make sense to me except the search robots one. Wouldn't you want a search robot browsing your site caching data, or did I misunderstand what they want you to do here?

      1. avatar
        wrote this comment on

        In the best case the cache would have the same content as the site. And you don't visitors from search engines to access cache files, you want them on your site. So disallowing indexing makes sense.

  7. avatar
    wrote this comment on

    Hello Nicolas,

    I put in my .htaccess password protection as you recommended, and now when I go to my wp-admin dashboard I get a "Page not found." When I disable the .htaccess, dashboard loads fine. Any thoughts?

    1. avatar
      wrote this comment on

      Hm, not really. Check the webserver's error log?

      1. avatar
        wrote this comment on

        I guess I should have done that from the get-go. I had contacted my hosting providers support at the same time, and they resolved the issue for me. I use HostGator, so I'm not sure if everyone would run into this issue or not, but I was explained that WordPress rewrites do not work on password protected directories. I was given two lines of code to put in my .htaccess file:

        'ErrorDocument 401 /%{REQUEST_URI}/myerror.html
        ErrorDocument 403 /%{REQUEST_URI}/myerror.html'

        After that, it now requires my user name and password as intended! :)

        Andy

        1. avatar
          wrote this comment on
          Brilliant! I couldn't get the whitelisting to work at all, but adding just those two ErrorDocument lines (I removed the whitelisting stuff) to my .htaccess cleared up the redirect to the 404 Page Not Found error.

          Just to note: I'm not on HostGator, and I didn't even bother to create the myerror.html page, and it still worked. Now I can log into the /wp-admin directory again with the added layer of security provided by htaccess password-protection. :)
  8. avatar
    wrote this comment on
    What about `/wp-admin/load-scripts.php`? Whilst rooting around WP code I noticed some constants which I believe might allow the same script compression in the front-end which the back-end enjoys: `COMPRESS_SCRIPTS`, `CONCATENATE_SCRIPTS`, etc. (see script-loader.php, particularly `_print_scripts()`)

    I haven't played around with them or the undocumented(?) WP_CACHE but thought I should at least put the flag up in case anyone had any strange problems...
    1. avatar
      wrote this comment on
      I think you're right. But afaik the script loader is only used in the admin by default. There may be a few plugins out there that use it though. So yes, you might want to whitelist the loader as well if you use such a plugin.

      Aaaah, the usual wp mess :-)
  9. avatar
    wrote this comment on
    So yes, you might want to whitelist the loader as well if you use such a plugin.
  10. avatar
    wrote this comment on
    Nicolas. I really appreciate your work on this issue and it seems to be very thorough with links answering questions regarding the subject. Since I'm a novice at htaccess I would like you to answer this question.
    I'm on a shared hosting account with Go Daddy. There is no way to access a folder above my shared accounts root folder. I have contacted them about adding the additional lay of protection to the wp-admin file but all I get back is that the directory is already protected and adding the additional layer of protection is not available on this file.

    Now this might be poor customer service or some server configuration that they are not willing to expound upon, but I think I can get this done.

    I've created a htpasswd file and added directive to the htaccess file. The article you link to states that the htpasswd file should be placed above the root directory on the server. That is not possible on a shared account with Go Daddy. Can I use file permissions to lock down the password file? Can I lock down this directory further given the shared hosting or do I have to upgrade to a dedicated server to allow for additional security measures such as this technique?
    Thank you for this article. It is the most thorough article I've found on this subject.
    1. avatar
      wrote this comment on
      To protect the wp-admin directory you create the .htaccess file in it's parent directory, that means the wordpress root directory. You don't need access to anything above to protect wp-admin. Maybe I misread you though? It's getting late here..
      1. avatar
        wrote this comment on
        No, you should create the .htaccess file in the wp-admin directory itself, not in the parent directory. The .htaccess file affects access to the files in the current directory and all subdirectories. If you put it in wp-root then it will affect the complete installation. I figure it was too late ;)
        1. avatar
          wrote this comment on
          Haha, you're right.
  11. avatar
    wrote this comment on
    Hi,

    The instructions on this page is confusing, it starts off as "Apache compatible" (even tagged as such) but ends up as "lighttpd"

    Anyways, after mucking about, I believe you should update your example with the following:

    AuthUserFile /path/to/htpasswd_file
    AuthType basic
    AuthName "Restricted Resource"
    require valid-user
    # Whitelist
    <Files "admin-ajax.php" >
    Order allow,deny
    Allow from all
    Satisfy any
    </Files>
    <Files "*.css" >
    Order allow,deny
    Allow from all
    Satisfy any
    </Files>



    Change "/path/to/htpasswd_file" accordingly. This whitelists calls to "admin-ajax.php" as well as all the CSS files, which are trivial IMHO.

    Regards,


  12. avatar
    wrote this comment on
    Great tip! Thanks!
  13. avatar
    wrote this comment on
    Hi there
    The wp-admin protection and all of its following complications!
    Everytime that I load a page in my website, I prompted with a popup for entering the wp-admin username and password and the funny part is that I just create the correct .htaccess file with the following info:
    <Files "admin-ajax.php">
    Order allow,deny
    Satisfy Any
    Allow from all
    </Files>
    <Files "*.css" >
    Order allow,deny
    Allow from all
    Satisfy any
    </Files>

    as you see it is exactly the mentioned lines in comments also in variuos websites but still I have the funny problem, with every new page, user prompted with the user and pass popup!

    Do you have any point on this case?
    Thanks a lot for your kind post!
    1. avatar
      wrote this comment on
      You should check if any other resources are being loaded from the wp-admin directory. You can use the chrome dev tools, Network tab for example.
  14. avatar
    wrote this comment on
    Okay, I tried this and everything was fine. Except that Disqus comments are completely gone. Instead of the Disqus comments, now it is showing a login button. Clicking on this button opens the login prompt as specified in .htaccess.

    Please help.
    1. avatar
      wrote this comment on
      Nothing you said makes much sense to me :-|
  15. avatar
    wrote this comment on
    hi
    i don't get part two of article which is about "update: /wp-admin/css/install.css"
    where is the place for put codes part two($HTTP["url"] =~ "^\/wp-admin\/.*)? in which file and where is the file?
    thanks
    1. avatar
      wrote this comment on
      You probably want to look at the htaccess example instead, and see http://httpd.apache.org/docs/current/mod/core.html#files for the syntax to whitelist multiple files. The code you mentioned is part of a lighttpd configuration, you're not using that ;-)
  16. avatar
    wrote this comment on
    A good way to Meet New People

    online dating site is nothing new, without doubt. Since the internet first became discovered by most in the 1990's, Dating was among the initial purposes people used the internet's vast resources for. around the, dating foreign girls has evolved from "single women" Chat rooms and now is represented by an absolutely staggering number of online dating websites. With so <a href=https://moldovawomen.home.blog/2019/06/12/come-closer-to-moldova-women-online-dating-guidelines/>moldova dating</a> many options to decide on, Where does a single person turn to for free online matchmaking? Here are some considerations when buying when you select an online dating site.

    firstly, It is hard to come by a truly free online matchmaking site. many sites have certain features that are accessible for free, While that you will find to pay to be able to initiate e mail conversations with other members, Chat along with them, Or connect in very close ways. Most sites have the capability to show interest in other members via short, Pre written messages to can send, typically referred to as "winks, "Flirts" Or such like, and yet.

    when you, Find a dating site that allows you to get access to all features before you have to start paying. This unquestionably preferred, As you can really get an idea of how great the features are before you shell out your money.

    One mistake that is often made by singles who want to join a dating site is focusing over of a site instead of the community itself. All of the video chat and search functions in the world are useless if there is no one in your area or that you are considering for you to talk to! that is why, You should definitely search the site and make sure there are plenty of singles you want before you <a href=https://moldovawomen.home.blog/2019/06/12/come-closer-to-moldova-women-online-dating-guidelines/>moldova women</a> pay for a membership. Make sure that the men or women you are looking for are actually active members, insanely! It may look like excellent singles in your area on a dating site, But if most have been inactive for six or more months, That isn't worthwhile for you.

    because of this, You should also think carefully about whether you want to date on a site that specifically caters to a certain type of person. dating site based on helping singles of specific faiths, civilizations, Or interests find some other can be great, But depending on your area you may have a problem finding a lot of singles near you on such a site.
  17. avatar
    wrote this comment on
    Get Asian professional wedding photographers At Low

    A wedding occasion is an ideal occasion. So if it turns out you are going to pick a photographer to take pictures amid the occasion, Make sure to pick a properly prepared Asian wedding photographer. in the flooring buisingess center, <a href=http://www.chnlovereview.com/how-to-mind-read-if-your-chinese-girl-likes-you/>dating Chinese girls</a> There are numerous individuals vying to secure the arrangement. They extend from consultants to genuine photography advisors. We very suggest that you apply an accomplished photographer. locations tips on the most proficient method to pick a dependable Asian wedding photographer for the extremely imperative occasion.

    Portfolio evaluation is the first thing you had better do. which are more part, professional photographer uses a site to showcase their services. just log on to the site and view some specimen photos. Great Asian wedding photographer know how to catch impeccably aspect minutes. They ought to likewise know how to set individuals calm so the pictures turn out looking more element. You can tell just by taking a gander at the photos whether the professional photographer is a talented one or not. Specialised aptitudes are crucial.

    When you contract a wedding photographer, You may wish to get some answers concerning different aptitudes that the photographic artist may have. great example, You might likewise require feature administrations or somebody to help set up a wedding site. In the event that your photo taking artist can do that for you, It will spare you the hassle of needing to facilitate between distinctive administrations suppliers. The photographic artist will be working with similar materials in any case, So it bodes well for contract the same man or women to do the work.

    Look at some client surveys on the site. You can go to wedding to understand more about what others need to say in regards to their encounters with the photographer. You must be jotting here however. Regardless of the chance that you read a terrible testimonial given by a client, It does not mean the government supplier is an inconsistent one. check out client profile too. It may be the case that the Asian wedding photographers had served a juvenile client. most often, Develop couples will usually <a href=http://vietmatches.com/Good-to-Marry-A-Young-Vietnamese-Woman-Via-Online-Dating-Site>asian women</a> be sensible about their requests. thus, You are more prone to peruse positive audits from this clients fitting in with this age bunch. However if it happens you see a plenty of negative audits no matter how you look at it, You must be a lot of other watchful when enlisting.
  18. avatar
    wrote this comment on
    When someone writes an piece of writing he/she maintains the thought of a user in his/her mind that how a user can understand it.
    Therefore that's why this piece of writing is amazing.
    Thanks!
  19. avatar
    wrote this comment on
    When someone writes an piece of writing he/she maintains the thought of a user
    in his/her mind that how a user can understand it.
    Therefore that's why this piece of writing is amazing.
    Thanks!

Start a new thread

Cancel reply
Markdown. Syntax highlighting with <code lang="php"><?php echo "Hello, world!"; ?></code> etc.