htaccess Files and WordPress Security

Adding server-side protection around the WordPress wp-admin folder is like adding a second layer of protection to your WordPress admin area, login page and files. Server-side protection can be added by adding a .htaccess file (directory level configuration file) in your wp-admin WordPress sub directory.

Most common attacks against WordPress have been brute force attacks, or sending of specially crafted HTTP requests to WordPress files in wp-admin, therefore it is very important to add an extra layer of protection to the WordPress wp-admin section. By adding the .htaccess file to the wp-admin directory, you are safe guarding your WordPress blog or website from such attacks.

Password protect wp-admin directory with a .htaccess file

With the .htaccess file you can configure the server to password protect all the files in the wp-admin folder. Therefore, before accessing WordPress files, such as the admin area login page, you have to first authenticate against the server itself, using HTTP authentication.  By password protecting the WordPress admin area, if a malicious user tries to access your WordPress admin area login page to launch a brute-force attack, or any other file which resides in the wp-admin directory to send a harmful crafted HTTP request, he is greeted with a server side login prompt and no direct access to WordPress files is possible.

To password protect your WordPress admin area, you have to create a .htpasswd file.  A .htpasswd file contains a list of users and passwords used access the wp-admin file. The credentials to access wp-admin, should be different than those you use to login to your WordPress admin area. Once the .htpasswd file has been created, you can then create a .htaccess file and populate it with the below directives:

AuthUserFile /etc/httpd/.htpasswd
AuthType Basic
AuthName “restricted”
Order Deny,Allow
Deny from all
Require valid-user
Satisfy any

Note: the AuthUserFile directive should contain the path of where the .htpasswd file is stored on the server or on your hosting space.

Further protection of wp-admin folder with htaccess file

If you always access the blog from a fixed IP, you can also restrict access to the WordPress admin area by IP.  To do so, simply add the below directive to the .htaccess file, where xxx.xxx.xxx.xxx is  your IP. It is possible to add more IP’s to the list at a later stage by editing the existing .htaccess file.

allow from xxx.xxx.xxx.xxx

You can also block a spammer, bot or malicious user from accessing your blog with the .htaccess file.  To do so, simply add the below directive to the .htaccess file where xxx.xxx.xxx.xxx is the IP to be blocked. It is possible to add and remove IP’s to the list at a later stage by editing the existing .htacess file.

deny from xxx.xxx.xxx.xxx

There are many other htaccess directives which you can use to ensure your WordPress security and protect your site or blog from malicious attacks — such as denying directory listing etc. You can read more about .htaccess directives from the Apache Tutorial: .htaccess files. As you can see, by adding a .htaccess file to the WordPress admin area beefs up the security of your WordPress installation.

You can also use .htaccess files in other directories of the WordPress installation, or even in the root directory to fine tune your WordPress installation security.  Still it is very important to install the latest version of WordPress and plugins, irrelevant of the extra layers of security you add to your WordPress installation. Acunetix can help you keep up to date and secure your WordPress blog or website.  It will also alert you if you are running an old version of WordPress, or when a new version of a plugin that you are using is available.

Related blog article:

Share this post
  • HI,

    We are currently working on publishing more content which is even easier to follow. Subscribe to our RSS or follow us on one of our social network channels (Facebook or Twitter) and you will be alerted once new content is published.

  • I too am finding these instructions hard to follow- like the previous poster I need a simple example .htpassword file and guidance where to put it.
    The .htaccess file seems easier to implement
    I need this because I have just recovered from a hack

    • Hi Ian,

      Ideally .htpassword files should be placed in a directory which is not published on the web server, i.e. if you are using a hosting provider, ideally it should be placed in a different directory than the public_html directory. The .htaccess file can be placed in the WordPress root. Before uploading a .htaccess file make sure that there is no other .htaccess file (generated by WordPress) or if there is, simply add the content of your .htaccess file to the exsisting one.

  • Hi
    What would be useful here would be to have a sample .htpassword file and a sample .htaccess file available for download, to be edited and then uploaded to the users servers.
    It should be pointed out more clearly that the .htpassword file does not need, nor want, to be in the publicly accessible area of the site (usually under public_html)
    Cheers for the great plugin

  • Hi Robert,

    The others are not alone, if you could post specific .htaccess examples where we could simply fill in our own necessary info (maybe put the places we need to change in RED or something) and then save and upload, that would be fabulous. Also, maybe screenshots of where the root directory is vs. public areas in order to help out the abject newbies. We all want to be more secure and we all dearly appreciate your amazing website & service!

    Thanks a million,
    Donna

  • I just tried doing this at one of my sites and was unable to login to wp-admin dashboard so I disabled password protection on wp-admin folder for that site again.

    I’m presuming that the user who has access to wp-admin folder could be the same as the site admin user but I’ve also bot the Login Lock plugin installed to enforce password changes for admin accounts every 30 days. Thus, I will hold off on implementing this solution until you have a more thorough tutorial with some files to download, as someone suggested above.

    Thanks for keeping an eye on our website security tactics.

    • HI Marj,

      Thank you for showing interest in our blog posts.

      Unfortunately it is almost impossible to make a template file available for download since every installation might be different. What we can provide you with is a template which you can use and adopt to your installation, as there is already. As explained earlier on, we are already working on an improved version of this blog post though we won’t be doing any downloadable file. As regards the users, the user used from WordPress cannot be used for HTTP authentication. The users in WordPress are controlled and stored in the WordPress installation, while the users for HTTP Access are typically stored in a htpasswd file, which is separate from a WordPress installation.

  • Yeah I wish you guys would post up a example htaccess file. I liked your facebook page. Please when you have a few minutes, give us the example code for the .htaccess files so we can put them on our sites. You didn’t give much detail in this area with the exception of telling us we needed it.

  • Your guys plugin is awesome. Does the plugin do automatic scans
    because i cant find a scan now button anywhere

    • Hi Gene,

      Thank you for showing interest in our plugin. Do you mean the WordPress plugins? If yes, these plugins run each time you access the actual Plugin page and alerts you of what needs to be changed, so there is no need for any buttons. If you have any further questions or comments about any of our products, please post them on our official company forums; http://www.websitedefender.com/forums.

  • I still have the alert for not having an .htaccess on my wp admin section. I have an .htaccess file on my main directory. I’m still hoping you will give an example what a .htaccess file should contain when inside my wp_admin area. Can you give any insight for this?? I guess I could just drop an empty .htaccess file in my wp_admin area.

    • HI Zachary,

      As explained in this blog post, one has to make a username and password file (.htpasswd file) and then use the .htaccess sample used in the blog post itself:

      AuthUserFile /etc/httpd/.htpasswd
      AuthType Basic
      AuthName “restricted”
      Order Deny,Allow
      Deny from all
      Require valid-user
      Satisfy any

      Then there are several other directives which one can add in the .htaccess file, such as protection via IP etc.

  • Is there a theme that can prevent hackers to hack one site?

    • Hi Ceejay,

      We do not know of any theme and themes are not meant to work like that. What I suggest though is to install a security plugin and also subscribe to an online WordPress security service, such as WebsiteDefender. If you are looking for a WordPress Security plugin, check out our own WebsiteDefender WordPress Security plugin.

  • Yeah but I don’t know how to write the .htpasswd file. What do I put in it? Can you write an example using “username” and “password”?

    I think that is the reason for the confusion in this blog post as most people reading this don’t know much about .htaccess or .htpasswd and what to put in those files as it pertains to the actual syntax used.

    Some quick examples would be great.

    For example: if I create an .htaccess file, brand new, I simply include:
    AuthUserFile /etc/httpd/.htpasswd
    AuthType Basic
    AuthName “restricted”
    Order Deny,Allow
    Deny from all
    Require valid-user
    Satisfy any

    And that is it? Close and save?

    • Hi Zachary,

      The bold text in the blog post is the actual .htaccess file. All you need to do is copy that text (AuthUserFile should reflect the file of the .htpasswd). We are soon going to post an article on how to generate a .htpasswd file so stay tuned.

  • Thanks Robert. I will be looking forward to the post on the .htpasswd file. I have installed your plugin on all my clients WP sites. After being hacked a number of times, it helps me sleep well at night.

  • I’ve tried everyway but Sunday to get this thing to work but no success. I have tried tutorials online and the only thing that is a result is that I’m locked out of my admin panel. I’m hoping that you will put together some kind of generator that will spit out the files we need and just let us know where to upload them.

    Till then, I give up.

  • Could we not just password protect the directory itself? I can easily log into my hosting control panel and password protect the wp-admin folder. I can’t use .htaccess files or even see them for that matter because I’m on a Mac.

    • Hi Aaron,

      Good solution. By the way, the fact that you have a Mac does not mean you cannot access .htaccess files.

  • Hi Guys, am i supposed to upload both the .htcaccess and .htpasswd into the same directory or can they work even if in different directories?

    • Hi.

      You have to upload the .htaccess file in the directory which you want to protect. The .htpasswd file can be uploaded anywhere and then modify the “AuthUserFile” directive in the .htaccess to reflect the path where the .htpasswd is stored. I’d recommend you to post such questions on our official forums (http://www.websitedefender.com/forums).

  • I’ve created my .htpasswd with the generator above and copied it to my wp-admin folder (I’ve put it there inside a subfolder) and I also copied the .htaccess file to the wp-admin folder and changed it to point to my subfolder where the .htpasswd file is:

    AuthUserFile /blog/wp-admin/mysubfolder/.htpasswd
    AuthType Basic
    AuthName “restricted”
    Order Deny,Allow
    Deny from all
    Require valid-user
    Satisfy any

    It works fine so far: It will ask for my user and password I’ve generated with the generator.

    After this my normal wp-admin login is opening but it’s looking different (no style, no logo, only pure html)? …

    If I try then to login with my name and password for my WordPress account I get this error message:

    The script could not be executed correctly.
    Common causes might be that the file was uploaded in a non-ASCII format or the path to the interpreter (e.g.: #!/usr/bin/perl) is missing or set incorrectly.

    Any ideas?

    • Hi Marcel,

      It seems to be something related to permissions. I would recommend you to check the permissions of the wp-admin folder and all the files which are being accessed while logging in. If you have any further queries, I would recommend you to post them on our WebsiteDefender forums, where a helpful community is waiting to assist you.

  • WSD is an excellent plugin, but what I don’t understand is the need of the suggested password protection in /wp-admin. It doesn’t work because there are other files in that dir that WP calls when you visit the site. Using the suggested .htaccess simply irritates the visitor for the continuous “Enter password” pop up.
    Besides why developers didn’t suggest such a measure? Instead they only place the “silent is golden” index.php
    IMHO the best security measure is to use at least a secure 13 chars password (numbers, upper and lower case letters plus symbols) and a clever administrator name instead of the default admin.

    • Hi Luis,

      Thank you for showing interest in our plugin.

      We recommend to protect wp-admin section with an .htaccess to protect your blog from brute force attacks and from future zero day vulnerabilities that can be exploited against the WP-admin folder without the need to authenticate, as explained in the introduction of such article. By adding an .htaccess file to wp-admin your blog visitors should not be alerted to enter the password. If they are, then something might not be correct with your template or blog installation.

      If you have further queries, feel free to post them on the WebsiteDefender official forums.

  • to protect wp-admin, I found that the following worked. The ErrorDocument label was key. Setup .htpasswd as described as elsewhere on this page.

    ErrorDocument 401 default
    AuthUserFile /home/username/.htpasswd
    AuthType Basic
    AuthName “restricted”
    Order Deny,Allow
    Deny from all
    Require valid-user

  • Or, as Luis suggested above. Only protect the .php files in wp-admin, this resolves issues with other items calling stuff in wp-admin.

    ErrorDocument 401 default

    AuthUserFile /home/username/.htpasswd
    AuthType Basic
    AuthName “restricted”
    Order Deny,Allow
    Deny from all
    Require valid-user
    Satisfy any

  • Great plugin, thank you.

    I generally put the wordpress install in a subfolder, and then at launch, move the site itself up to the main folder, leaving the install where it is. This is done using the htaccess in wordpress itself, kind of the reverse of what is done here: http://codex.wordpress.org/Moving_WordPress

    So, just tried setting up htaccess to wp-admin folder using CPanel. Result: WP could no longer find wp-admin folder. I’m baffled, because there was no .htaccess file in the wp-admin folder before. Any ideas, or direction would be welcome.

    • Hi Norine,

      Thank you for getting in touch.

      Unfortunately we cannot understand your query. Can you please post your query on our WebsiteDefender forums?

      Thank you and looking forward to hearing from you.

  • Hi!

    Thank you for tips!
    I did everything like you write here for Password protect wp-admin directory with a .htaccess file

    But, then I access to mu /wp-admin/ I get

    Error 404 — Not Found
    You are trying to reach a page that doesn’t exist here. Maybe I’ve moved out things or maybe you mistyped a link. Try searching:

    Can you help me what I need to do?Why I have this Error??

    Thanks!

    • Hi Alina,

      Thank you for following our blog.

      Unfortunately we cannot assist you in this case without having more details, such as URL of website, content of .htaccess etc. In that case I recommend you to contact our support on support@websitedefender.com.

      Looking forward to hearing from you.

  • Hi!

    Thank you! I’m already fix the problem.
    I just add
    ErrorDocument 401 default
    in the .htaccess file and it’s work.
    I don’t understand what the meaning of this row, I just find this solution in the net, but it’s work:)

    Thank you for your blog!

  • Post implementing .htpasswd for wp-admin folder I’m not able to change my themes from admin dashboard. Can you please help me why I’m not able to change password. Getting error

    “You do not have sufficient permissions to access this page.”

  • I’ve followed these instructions, but with the .htaccess file in the wp-admin folder it keep getting a 404 Page Not Found error.

    I’ve setup my .htpasswd file just like it’s supposed to be…I think…

    • Hi,

      I would recommend you to use a .htaccess without any form of credentials at first, i.e. just control the IP access. Then start adding other features, such as credentials. Adding such restrictions one by one, you would know exactly what is wrong.

      If you have further queries, post them on our community led forums; http://www.websitedefender.com/forums.

  • Hi Robert
    There’s no denying that the plug-in is a gem, but I’ve still got a bone to pick. You’ve been promising for three months now that there’ll be a clearer description of the .htaccess and .htpasswd shenanigans. Where is it and why does it take more than three months? I would expect it to take a knowledgeable person a couple of hours to do if there was an honest determination to do so. What is the real score here? Surely a relatively simple text with a few images or even a video that wouldn’t need to be more than a couple of minutes would surely suffice.
    Furthermore, the WD team has created a tool to remove the wp_ prefix from the database whatevers. Would it not be possible to develop a tool to assist non-tech people in achieving what the verbose and unclear instructions have hitherto not achieved?
    I repeat, I’m not bagging you guys at all, the WD is a great plug-in, it’s just a little mystifying that something that you claim is so important is being dealt with so ambiguously.
    Keep up the good work.
    Cheers
    Hard Yakka

    • Hi Hard,

      We’ve improved this article a couple of times and also added some links in the article which will definitely help. There is no way how we can make it more simple. Strictly speaking, a copy and paste of the sample .htaccess file, change the path of the .htpasswd file should make the trick.

      We are thinking of including such feature in the plugin.

  • I’m running a WordPress website. But, I’ve not enough security. Now I using this security. This article & web defender security very need for us. So, now i’m completely tension free.

  • Thanks for a great program.
    Any chance you could show a example of a fully protected .htaccess file?
    That would be great.

    • Hi Kim,

      A full example of a htaccess file is in the blog post itself.

  • Please consider adding a bit of logic to the WP-Security plug-in to check what the underlying web server is. The tool recommends a .htaccess file for my wp-admin directory, but I’m running Nginx, which does not use .htaccess files.

    • Hi Lee,

      Thank you for showing interest in our plugin.

      That is currently one of the features we would like to work on. I would recommend you though to add this feature request to http://ideas.websitedefender.com.

      Looking forward to hearing from you.

  • Hi… I’ve done whatever on this article to create .htpasswd and .htaccess for my wp-admin folder…
    I create .htpasswd from xampp with -cm.. and upload on different subfolder.. not in public_html.. and placed .htaccess file like example above (AuthUserFile my own path) on wp-admin folder… but after that when I go to setting or whatever on admin page, I redirected to an error page….. Did I miss something?? please help…

  • I put an htaccess file in the wp admin folder and the site stopped working so I had to remove it. not sure what I did wrong. the site or host or theme didn’t like what I had there.

    can you let me know what basic code this htaccess file should have to protect the admin folder? the info on the htpasswd was confusing to me too so I did not create that.

  • Ok, so I’m running WordPress within a directory on the server and the .htaccess file for the permalinks etc is in that directoy.

    Website Defender says that there isn’t a .htaccess file in the root directory. What should that .htaccess file contain from a security perspective?

    • Hi,

      A sample of such file is mentioned in the blog post. If you have issues with some WebsiteDefender alerts I would recommend you to contact us on support@websitedefender.com.

      Looking forward to hearing from you.

  • Can the .htpasswd file be located in other folders? What if I don’t have access to the etc/httpd folder because I’m only using a shared host?

    • Hi,

      The .htpasswd file can be located in any folder you like. What is important is that in the .htaccess file you specify the correct path for the htpasswd file.

  • I created a .htpasswd and .htaccess file as suggested. It worked, in the sense that when I went to (mydomain)/wp-admin I was challenged with a username/password prompt, and entering the correct user/passwd got me past it. But it did NOT work in that once I got past that login, all I saw was a blank page. I didn’t see any way to actually get to the WordPress admin options. So I disabled the .htaccess again.

    Two questions:

    1. How would I get around this?

    2. Assuming there’s a way around this, does it mean that in order to actually get to the WP admin panel I would first have to login with the .htaccess user/passwd and then login again at the WordPress level using the WP admin user & password?

    3. Okay, I had more than two questions. Assuming I have deleted the default WP admin user and instead created a WP user with a hard-to-guess username and a good long complicated password, isn’t that security enough? What is protected by the .htaccess file that isn’t already protected by the regular WP admin login process?

    • Hi David,

      Below please find your answers.

      1. It seems to be a permissions problems. In this case you have to check the files and directory permissions and allow the user used for authenticating access on such files.

      2. Correct. You have to use 2 sets of credentials to login.

      3. As explained in the article “Most common attacks against WordPress have been brute force attacks, or sending of specially crafted HTTP requests to WordPress files in wp-admin, therefore it is very important to add an extra layer of protection to the WordPress wp-admin section”.

      While hoping the above answers your queries, do not hesitate to contact us again.

  • Thanks. I’m still confused about questions 1 & 3, though.

    1. In my wp-admin folder, all the PHP files have permissions “-rw-r–r–” which would seem to grant read permission to all users (assuming they can get into the folder at all.) The permissions on the wp-admin folder itself are “-rwxr-xr-x” which should let anyone into the folder, as long as they pass the .htaccess requirements. So, what would I need to change to make this work?

    3. I sort of understand what you’re saying, but not exactly. Do you mean that an HTTP request can be made to specific PHP files in wp-admin and those files would send a response or do some action without checking that the user is logged in with WordPress admin credentials?

    • Hi David,

      Unfortunately offhand I cannot tell you exactly what is wrong because it also depends what kind of configuration you have and with whom you are hosting your WordPress installation. In that case I would recommend you contacting me directly on ra@websitedefender.com and we can help you solve this issue.

      Looking forward to hearing from you.

  • I tried this advice and completely lost access to my wordpress. Now I can’t see the .htaccess file to delete it from my server… and I’m guessing I simply have to reinstall wordpress and reload my site from a backup. This is the worst advice blog i’ve ever read.

    • Hi SuicidalWebNoob,

      The fact that you cannot see the htaccess file is most probably because you are using an FTP client that is not showing hidden files. Navigate to the options of such client you are using and enable show hidden files to be able to see the .htaccess file.

      I can assure you the above does work, because thousands of people already implemented it. It is also tested and proven by us 🙂

  • well… actually, now that i see the .htaccess file, i can at least delete it :p
    or maybe this is the security measure: create an .htaccess file, loose access to your “site/wp-admin” login page entirely(i see no other login prompt, just a 404 error) and whenever you need it back, go back and delete the .htacces file 😀

    • Hi SuicidalWebNoob,

      The issue you are encountering is because you have some wrong paths specified in the .htaccess file. If you give us ftp access and access to your logs we can sort it out for you. Drop me a mail on ra@acunetix.com with the details and we will sort it out.

  • Please help, I’ve created the file. htpasswd and I put in the wp-admin, the following file. httaccessnya.

    But now I can not login to wp-admin.

    Error message: To bad – Internal Server Error

    • Hi Sigit,

      Thank you for following our blog.

      You cannot rename an .htaccess file to anything you want. It should be names .htaccess file unless you configure your web server (such as Apache) to read such configuration files, i.e. with non default names.

  • Hi Robert,

    I’ve read your post which seems very clear to understand and implement for beginners like me.

    Though I get internal sever error…

    This is what I put in the .htaccess which is located in the wp-admin folder.

    # Security
    AuthUserFile /etc/httpd/.htpasswd
    AuthType Basic
    AuthName “restricted”
    Order Deny,Allow
    Deny from all
    Require valid-user
    Satisfy any

    # Whitelist work IP address
    allow from XXX.XX.XXX.XXX

    I followed your .htpasswd instructions and used a generator to create one, very good.

    And the path I used was yours, so the .htpasswd is stored in this path wp-admin/etc/httpd/.htpasswd.

    I have X’ed my IP and my IP is fixed and definitely correct – so cant really understand where I’m going wrong?

    I have posted the .htaccess on github – https://gist.github.com/2358545

    Thanks for any advice.
    Josh

    • Hi Josh,

      Sorry for the late response. I would recommend you to contact me directly on ra@websitedefender.com regarding this issue. If we can have access to the website (do not publish such details in the comments here) we can sort it out and let me know what was wrong.

  • the path would be
    /home/yourcpaneuser/.htpasswds/public_html/wp-admin/passwd
    for most default hostings.

  • So this .htaccess isn`t the same as a file from a root directory?

  • Hi all,

    I have followed these steps and I am using WP on a localhost/wptest and I have created the folder etchttpd and placed the said .htpasswd in that folder (I am admin on my computer and have full rights to all the folders and files), the .htaccess file directly in the wp-admin folder.

    I also get an internal server error. Any suggestions? What am I missing/ doing wrong?
    I am using a localhost so that I am able to test and try these things out before I publish my site.

    Question;
    If not using this solution, can someone then browse to sitename/wp-admin and bwose the files within that directory and thereby download them? I am using WP 3.3.2 (the latest one from the WP website, downloaded today).

    Thnx in advance!

    • Hi Martin,

      since such issue requires some troubleshooting, it is better if you post your request on the WebsiteDefender forums.

      As regards your second query, no users cannot simply access any file in wp-admin. Though if a SQL injection is discovered, which is triggered by calling such files, then yes the malicious user can take advantage of you not having the wp-admin secured with HTTP authentication.

  • Hi Guys, there is just a small problem with placing a .htaccess file in the wp-admin folder. When a regular user lost his password and clicks on the link provided within the “forgot password” email, he is asked for the password of the wp-admin folder which he does not have. Hmmm, is there a solution for that ?

    • Hi Christian,

      you can always change the HTTP password by downloading the htpasswd file and specify a new password in the file.

  • I just found out that you can do this the security section in Cpanel, it will write your files for you, just use the mouse to select the folder you would like to protect.

    • Yes correct. Most Cpanels allow you to configure this automatically.

  • Hi I am new to .htaccess and am having issues with making .htpasswd and .htaccess for wp-admin.
    I have put .htpasswd in /etc and have put a .htaccess in wp-admin.. My .htaccess in the sites root folder is stopping it working?. My hosting company told me this but wont help.
    I had it work once so the file path is correct yet if I disable all the redirects it gives me a server error? any ideas

  • I have added the .htaccess file as mentioned in the post and the .htpasswd file in the root.
    My blog now shows an error establishing a database connection. please advice.

    • Hi Syed,

      .htaccess files got nothing to do with WordPress database connection. Check if you’ve done some other changes as well. If you have problems, please post on our Forums.

  • # protect from spam comments
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} .wp-comments-post.php*
    RewriteCond %{HTTP_REFERER} !.*yourdomain.com.* [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

  • how can i add .htaccess file to my site safely plz tell the procedure

    • Hi there,

      To create an htaccess file, use notepad – save the file as .htaccess. Then simply upload it to the website using FTP or the File Manager from your Web Hosting Provider Cpanel.

  • I created a .htpasswd and .htaccess file as suggested. It worked, in the sense that when I went to (mydomain)/wp-admin I was challenged with a username/password prompt, and entering the correct user/passwd got me past it. But it did NOT work in that once I got past that login, all I saw was a blank page. I didn’t see any way to actually get to the WordPress admin login. So I disabled the .htaccess again and everything is working fine! Put it back, the same problem occurs.

    If it is as you suggested to David Woolley on the above post March 29, 2012 a permissions problem. In this case you have to check the files and directory permissions and allow the user used for authenticating access on such files… What do we actually need to change?

    In my wp-admin folder, all the PHP files have permissions 0644 which would seem to grant read permission to all users (assuming they can get into the folder at all.) The permissions on the wp-admin folder itself are 0755 which should let anyone into the folder, as long as they pass the .htaccess requirements. So, what would I need to change to make this work?

    My .htaccess file is as follows :-

    # BEGIN DP_Secure
    ErrorDocument 401 default
    AuthUserFile /.htpasswds/.htpasswd
    AuthType Basic
    AuthName “restricted”
    Order Deny,Allow
    Deny from all
    Require valid-user
    Satisfy any
    # END DP_Secure

    My .htpasswd file is as follows (dummy example of course not the exact one!):

    smith:$ahgf2$kyosFden$KtmLMmghG26qj.JFesgDv/
    jones:$hgf6$09kjghjSw$Bx2gh/ty0TZplol8fTJe2e.

    Please can you clarify.

    Thank you.

  • Hi Rampling

    Thank you for your post.

    Regarding your issue, the code you have is correct. However, I was wondering if the path you have entered in your code is the absolute path. I would ask you to kindly change the path to the .htpasswd file to the absolute path. That means the whole or complete path to the .htpasswd file. If this still does not work please refer to your hosting provider of your website since something else might causing this behavior. Your code is correct.

    Thank You

    ———

    Stay tuned with the latest news and updates by subscribing to our WebsiteDefender Facebook account http://www.facebook.com/WebsiteDefender or follow us on Twitter http://twitter.com/websitedefender .

    Remember, stay secure!

  • you can do it easier&faster with editing apache server directives. below you can see the example;

    Order deny,allow
    Deny from all
    Allow from “your ip address”(prefix can be used to allow multiple ip addresses ex: 88.255.225.0/24)
    Options -Indexes

  • Hi
    wp-admin section htaccess protection is not working. but same way same file working for root directory…. what is the solution of this

    • Hi Sojib,

      Thanks for following our blog.

      I would recommend you to speak to your hosting provider. Many hosting providers do not always support this and they might need to set it up themselves.

  • Thanks for this tips. Now my wp-admin directory is a bit safe! Thanks again.

  • how can i add .htaccess file to my wordpress site sir please explain me

  • Hello, Thank you very much for this great plugin. I use a microsoft IIS system. So there are no htaccess files. Maybee you want to check this in future plugin versions and correct the error message “The file .htaccess does not exist in the wp-admin section. …”

    Again: thank you a lot for your work.

    R

  • Hi R

    Thank you for letting us know about this, we will have a look into it and include any updates necessary in the next release of the plugin.

    Thanks

  • Leave a Reply

    Your email address will not be published.