WordPress Security Tips Part 5 – Restrict Access to wp-admin Directory

Password protecting your WordPress admin area through a layer of HTTP authentication is an effective measure to thwart attackers attempting to guess users’ passwords. Additionally, if attackers manages to steal a user’s password, they will need to get past HTTP authentication in order to gain access to WordPress login form.

Basic HTTP Authentication

Basic HTTP Authentication

Warning – Basic HTTP Authentication requires that passwords be sent as clear text over the network. To such an extent, it is highly recommended that you make use of HTTPS to encrypt the transfer of data.

in Apache HTTP Server, you can achieve this by creating a .htpasswd file and adding a few configuration directives described below.

The .htpasswd file stores combinations of usernames and password hashes which the web server will use to authenticate users. You can create a .htpasswd file using the htpasswd command line or using an online password file generator.

Several Linux distributions install the htpasswd utility together with Apache itself, however, most Debian and Ubuntu users will need to install the apache2-utils package as follows.

apt-get update
apt-get upgrade
apt-get install apache2-utils

Once htpasswd is installed, run the following command to create a new .htpasswd file with a single user. The following command will create a new .htpasswd file located at /srv/auth/.htpasswd with a username of myuser. htpasswd will then prompt you to enter and then confirm the password of your choice.

htpasswd -c /srv/auth/.htpasswd myuser
Note – It is highly recommended not to store .htpasswd files in a web accessible directory. By default, all files with the .ht prefix are not served by Apache, however this should not be assumed.

To enable basic HTTP authentication on the WordPress administration area, you need to activate the directive described below on the wp-admin directory and reference the .htpasswd file created earlier. Insert the following lines into the appropriate <Directory> section of your server’s Apache configuration file or in an .htaccess file within the wp-admin directory.

AuthType Basic
AuthUserFile /srv/auth/.htpasswd
AuthName "WordPress Authenticated area."
Require valid-user

The AuthType directive is specifying that the authentication type. In this case, Basic authentication is being configured.

The AuthUserFile directive specifies the full path to the .htpasswd file. This file is the file that shall be used to store password hashes which the server shall later use to authenticate users with.

The AuthName directive contains an arbitrary message which the browser will present to the user upon authentication. The Require valid-user setting simply instructs Apache to allow any valid user to authenticate.

Note – While this file can be located anywhere on the filesystem, we strongly recommend that you not place them in a web accessible directory. By default, all files beginning with .ht are not web-accessible in most default configurations of Apache, but this should not be assumed.

In Part 6 in the series we will be discussing: File editing and WordPress Username Enumeration

Read the previous article in the series about WordPress Security Keys

Share this post
  • Note that this blocks legitimate unauthenticated access to admin-ajax.php

  • Leave a Reply

    Your email address will not be published.