Create a WordPress htpasswd File to Secure the WP-Admin Dashboard

HTTP authentication adds a secondary layer of WordPress security that protects the admin dashboard — or wp-admin — by requiring the user to submit further authentication. After creating the .htaccess file for protecting the WordPress wp-admin folder, you should create a username and password database file for HTTP authentication. In other words, you simply need to create an WordPress htpasswd file.

HTPASSWD files are used to protect your website or specific directories using HTTP Authentication, and contain a list of usernames and hashed passwords. Apache will use this information to authenticate users who want to access a password protected website or web page, by prompting the user with a HTTP Authentication dialog.

An .htpasswd file contains a list of usernames followed by the colon “:” character, and ending with a hashed password — similar to the example below:

steven:$apr1$k7QjkNty$tSd4grHRifUzCC8L9EBN51
jones:$apr1$Z5SbWNdp$oJqAVhLCvVRMSgeEADeT6/

Creating a .htpasswd file

You can create an .htpasswd file using any of of two methods. The easiest and fastest method — ideal for beginners — is to use an online htpasswd Generator. The second method involves generating the .htpasswd file manually. The manual method provides more flexibility, although some technical experience is recommended.

The manual method

You need a tool called “htpasswd” in order to create a .htpasswd file. If you are running Windows you can install Xampp, or Apache web server for Windows — or any other similar server software that is typically shipped with the ‘htpasswd’ tool. To launch the htpasswd tool, navigate to the tool’s directory via command line. In a typical Apache installation, the tool can be found in the bin sub directory.

Once your command line interface is in the directory containing htpasswd.exe, type htpasswd.exe and hit enter. A list of available htpasswd.exe parameters will be shown for your reference. To create a new .htpasswd file, type the following command in the prompt.

“htpasswd –cm [<em>passwordfilename</em>] [<em>username</em>]”

 

You will then be asked to enter a password for the specific username. By default, the .htpasswd file will be generated in the same directory where the actual htpasswd.exe tool resides. You can use the ‘-c’ parameter to create a new .htpasswd file and the –m parameter to encrypt the submitted password using MD5 hash. If you wish to add more usernames to the current password file, just use the same command without specifying the –c parameter as follows:

“htpasswd –m [<em>passwordfilename</em>] [<em>username</em>]”.

 

Note: Installing Xampp or Apache on your computer requires a web server to be installed and running on your computer. If not configured properly, a web server could open a security vulnerability on your machine, so it’s not advisable to use any mission-critical computers if you’re not confident with this process.

Once the .htpasswd file is created, store/save the file in the same location specified in the .htacess file under the AuthUserFile directive. You can read more on how to use .htaccess files to secure your WordPress installation here: htaccess Files and WordPress Security.

Share this post
  • how to install this when I’m just using sharing hosting and don’t have root access just cpanel access?

    • Hi Lazaac,

      You can always upload a .htaccess file even if you do not have root access. You need to upload the .htaccess file to the root of the blog.

  • after uploading the .htaccess file i cant login …………………….please help……..

  • You can write the htaccess file with an usually editor as notepad or notepad++.
    If you are using Windows, you have to save the file on your computer as htaccess.txt (without dot before). Via FTP or SFTP, you upload your file in wp-admin folder; then, by cpanel, rename the file htaccess.txt in .htaccess (setting chmod in 644). You have see the Type file changing from text file to HTACCESS file.
    If you have not access root, you may upload the .htpasswd file in the same wp-admin directory, together the .htaccess file.

  • i generate htpasswd by htaccesstools.com but how to place this code into my site.. please please please help..

  • I’m still confused, I already have a htaccess file in the web root. Do I have to duplicate it to wp-admin?
    In this case where I have to upload htpassword?

    • Hi Baju,

      The .htaccess file in the root of the website has a different purpose. So you have to create a new .htaccess file for the wp-admin section as well. You should place the .htpasswd file in a non web directory ideally, i.e. a directory which is not accessible via web.

  • Please define a sample .htpasswd file for user name sojib and password abc,./

    wp-admin section .htaccess will work with .htpasswd? for prompt a user name password?

    • Hi Sojib,

      We cannot provide you with such sample, such information is not to be shared public. I would recommend you to find an online htpasswd generator. There are many available.

  • Hi, I am using a shared server. can I use it ?? then where do I put .htpassword?? And how do i specify the path in .htaccess??

  • I am wondering if you use the htpassword credentials to log in to the WordPress site now or the account information created in WordPress itself. And how does it affect the login process

  • Leave a Reply

    Your email address will not be published.