
Using the steps below, I’ll show you how to create password protection for your /wp-admin directory. We’ll also copy those rules over to protect your wp-login.php script to keep WordPress as safe as possible.
-
Under the Files section, click on Directory Privacy.
-
Click the Settings button.
-
In the pop-up box, select your domain in the drop-down menu labelled Document Root, then click Save Changes
-
Click on the text, not the folder icon, for your wp-admin directory.
-
Check Password protect this directory, give it a name, then click Save.
-
Now click on Go Back.
-
Under the Create User section, input a user name and then click on Password Generator.
-
In the pop-up mini-window copy the given password, and then check I have copied this password in a safe place.
Then click Use Password. -
Now click on Save.
-
Click on Go Back.
-
Try to access your /wp-admin directory.
Your browser will prompt you for the password you just created.
Type in your username / password, and click Log In -
Your normal WordPress admin login page should now display.
-
Now go back to cPanel.
Under the Files section, click on File Manager. -
Click the Settings button.
-
Then select the Document Root for your domain, and check Show Hidden Files (dotfiles). Finally, click Save.
-
From the left-hand directory listing, expand public_html.
Click on wp-admin, then right-click on your .htaccess file.
Then click on Code Edit
For the encoding pop-up, click on Edit again to bypass that. -
Copy all the code in the .htaccess file.
While you still have the /wp-admin/.htaccess file open, also go ahead and add the code in red:
ErrorDocument 401 “Denied”
ErrorDocument 403 “Denied”# Allow plugin access to admin-ajax.php around password protection
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>AuthType Basic
AuthName “Secure Area”
AuthUserFile “/home/example/.htpasswds/public_html/wp-admin/passwd”
require valid-user -
From the left-hand directory listing, click on public_html.
Right-click on your .htaccess file, then click on Edit. -
Now paste the .htaccess code you copied, in-between some <FilesMatch> tags, so that it ends up looking like this:
ErrorDocument 401 “Denied”
ErrorDocument 403 “Denied”<FilesMatch “wp-login.php”>
AuthType Basic
AuthName “Secure Area”
AuthUserFile “/home/example/.htpasswds/public_html/wp-admin/passwd”
require valid-user
</FilesMatch>Then click on Save Changes up at the top-right.
-
Now if someone tries to directly login via wp-login.php they will be prompted for a valid user as well.
-
When a user enters invalid credentials are, they will get an Authorization Required error. They will then not be able to attempt to login to your WordPress admin directly.