Estimated reading time: 2 min
How to Password Protect wp-admin Directory in WordPress. Adding an extra layer of security to your wp-admin directory helps prevent unauthorized access and brute-force attacks. Follow these steps to set up password protection using .htaccess and .htpasswd.
Step 1: Access Your Website’s File Manager or FTP (for Password Protect wp-admin)
You’ll need to edit files in your WordPress installation. You can do this via:
- cPanel → File Manager (recommended for beginners)
- FTP client (e.g., FileZilla)
Step 2: Create or Edit the .htaccess File in wp-admin
- Navigate to the wp-admin folder inside your WordPress installation.
- If a
.htaccessfile exists, edit it. If not, create a new file and name it .htaccess. - Add the following lines of code to the file:
AuthType Basic AuthName "Restricted Area" AuthUserFile /home/yourusername/.htpasswd Require valid-userReplace/home/yourusername/.htpasswdwith the correct server path where the password file will be stored.
Step 3: Create the .htpasswd File for Authentication
The .htpasswd file stores the usernames and encrypted passwords for access.
Method 1: Use an Online Generator
- Visit this .htpasswd generator.
- Enter your desired username and password.
- Copy the generated line (e.g.,
admin:$apr1$e9s6K5hG$xyzxyzxyzxyzxyzxyzxyz1).
Method 2: Manually Create the File
- Create a new file and name it .htpasswd.
- Add a line in this format:
username:encryptedpassword - Use an online encryption tool or command line to generate the password:
openssl passwd -apr1 YourPassword - Save and upload the .htpasswd file outside the public_html directory (for security).
Step 4: Allow Ajax Requests (Optional, But Recommended)
WordPress uses admin-ajax.php, so restricting access may break some plugins. To allow Ajax, add this rule to your wp-admin .htaccess:
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>
Step 5: Test the Password Protect wp-admin
- Open yoursite.com/wp-admin/ in a browser.
- A login prompt should appear.
- Enter the credentials you set up in the
.htpasswdfile.
Final Thoughts
✅ Now, your WordPress admin panel has an extra security layer.
🔒 Even if someone knows your WordPress login, they still need to pass this authentication first.
Would you like any additional security measures for wp-admin (like IP whitelisting or 2FA)? 🚀
Discover more from HelpZone
Subscribe to get the latest posts sent to your email.
