Password protecting the wp-admin directory
Several places recommend to block the WordPress admin area with a password. While this certainly is a good idea, implementing it properly is non-trivial.
One of the problems is that the WordPress Ajax handler script is located in the admin directory. So password-protecting the admin area will break all Ajax functionality your blog might be using on the frontend.
First, see this tutorial on how to password protect directories with an .htaccess file. Sivel has an example for whitelisting the Ajax handler, add these line to your .htaccess file:
# These are the lines that do the password protection.
# You probably already created them while reading through the tutorial linked above.
AuthUserFile /path/to/your/htpasswd
AuthType basic
AuthName "Restricted Resource"
require valid-user# This is the whitelisting of the ajax handler
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>
Please notice that you absolutely need to create the htpasswd file, see the linked tutorial above.
Update: /wp-admin/css/install.css
is also sometimes needed on the frontend, you should whitelist that as well.Here's the necessary configuration to whitelist a file in a password protected location in lighttpd:
$HTTP["url"] =~ "^\/wp-admin\/.*" {
$HTTP["url"] !~ "^\/wp-admin\/(admin-ajax\.php|css\/.*)" {
auth.require = (
"" => (
"method" => "basic",
"realm" => "Password protected area",
"require" => "user=theuser",
),
),
},
},
Great stuff...
So to whitelist /wp-admin/css/install.css also would the correct syntax be:
or
?
Thanks,
Anders
Trying again :-)
This:
Files admin-ajax.php install.css
Or this:
Files admin-ajax.php css/install.css
Thanks,
Anders
I think you need the path, relative to the htaccess, yes, if that's what you're asking ;-)
Okay, got it working...
Had to add another Files directive for the second file... without the path, so only the filename...
Ok, thanks for the info!
Starting lighttpd: parsing regex failed: ^\/wp-admin\/(admin-ajax\.php|css\/install\.css -> missing ) at offset 47
I added a ) between 'css' and '"'
Oops, right :-)
Okay, I'm a newbie at this. I'm trying to figure it out. I whitelisted the admin-ajax.php file yesterday and it worked fine. Today I just get a 404 error. I'm a little unsure of what to do now. I tried a couple of things trying to whitelist the css/install.css with no success. Help!
It would help if you were using WordPress..
I'm using 3.0.1. It's just installed in the subdirectory /wordpress/.
Hey Ryan, that's rather odd indeed. I'd recommend you remove the password protection thing from your config and try to access the admin section again.
I've been researching WP security for the last few days, as a new developer, going setting all of the above up to secure my wp-admin is going to take me a day or so to understand, test, and configure...
I found this plugin and wondering what you're thoughts are on it?
http://www.askapache.com/wordpress/htaccess-password-protect.html
Thank you for the review.
If the plugin is "passes" it might be a great tools to speed up the process for others.
I wouldn't recommend to use that, see also http://codex.wordpress.org/Hardening_WordPress#Resources
Thanks Nicolas. Majority of the posts were about people being locked out of wp-admin. If I wanted to hire you to help me setup my wp-admin protection, what would I expect to pay you for your service? Could you also teach me via my webinar account how to do it myself?
I also found this... what's the flaw if any in following this advice? http://www.squidoo.com/wordpress_security#module63921672
I will answer all of your questions if you send me an email. Please use my contact form :-)
Hello Nicolas,
I put in my .htaccess password protection as you recommended, and now when I go to my wp-admin dashboard I get a "Page not found." When I disable the .htaccess, dashboard loads fine. Any thoughts?
Hm, not really. Check the webserver's error log?
I guess I should have done that from the get-go. I had contacted my hosting providers support at the same time, and they resolved the issue for me. I use HostGator, so I'm not sure if everyone would run into this issue or not, but I was explained that WordPress rewrites do not work on password protected directories. I was given two lines of code to put in my .htaccess file:
'ErrorDocument 401 /%{REQUEST_URI}/myerror.html
ErrorDocument 403 /%{REQUEST_URI}/myerror.html'
After that, it now requires my user name and password as intended! :)
Andy
I reviewed the steps they suggested on this squidoo page and I've seen them before in the WordPress forums. All of these steps make sense to me except the search robots one. Wouldn't you want a search robot browsing your site caching data, or did I misunderstand what they want you to do here?
In the best case the cache would have the same content as the site. And you don't visitors from search engines to access cache files, you want them on your site. So disallowing indexing makes sense.
Ok, that makes sense, thanks!
Change "/path/to/htpasswd_file" accordingly. This whitelists calls to "admin-ajax.php" as well as all the CSS files, which are trivial IMHO. Regards,