Adding server-side protection around the WordPress wp-admin folder is like adding a second layer of protection to your WordPress admin area, login page and files. Server-side protection can be added by adding a .htaccess file (directory level configuration file) in your wp-admin WordPress sub directory.

Most common attacks against WordPress have been brute force attacks, or sending of specially crafted HTTP requests to WordPress files in wp-admin, therefore it is very important to add an extra layer of protection to the WordPress wp-admin section. By adding the .htaccess file to the wp-admin directory, you are safe guarding your WordPress blog or website from such attacks.

Password protect wp-admin directory with a .htaccess file

With the .htaccess file you can configure the server to password protect all the files in the wp-admin folder. Therefore, before accessing WordPress files, such as the admin area login page, you have to first authenticate against the server itself, using HTTP authentication.  By password protecting the WordPress admin area, if a malicious user tries to access your WordPress admin area login page to launch a brute-force attack, or any other file which resides in the wp-admin directory to send a harmful crafted HTTP request, he is greeted with a server side login prompt and no direct access to WordPress files is possible.

To password protect your WordPress admin area, you have to create a .htpasswd file.  A .htpasswd file contains a list of users and passwords used access the wp-admin file. The credentials to access wp-admin, should be different than those you use to login to your WordPress admin area. Once the .htpasswd file has been created, you can then create a .htaccess file and populate it with the below directives:

AuthUserFile /etc/httpd/.htpasswd
AuthType Basic
AuthName “restricted”
Order Deny,Allow
Deny from all
Require valid-user
Satisfy any

Note: the AuthUserFile directive should contain the path of where the .htpasswd file is stored on the server or on your hosting space.

Further protection of wp-admin folder with htaccess file

If you always access the blog from a fixed IP, you can also restrict access to the WordPress admin area by IP.  To do so, simply add the below directive to the .htaccess file, where is  your IP. It is possible to add more IP’s to the list at a later stage by editing the existing .htaccess file.

allow from

You can also block a spammer, bot or malicious user from accessing your blog with the .htaccess file.  To do so, simply add the below directive to the .htaccess file where is the IP to be blocked. It is possible to add and remove IP’s to the list at a later stage by editing the existing .htacess file.

deny from

There are many other htaccess directives which you can use to ensure your WordPress security and protect your site or blog from malicious attacks — such as denying directory listing etc. You can read more about .htaccess directives from the Apache Tutorial: .htaccess files. As you can see, by adding a .htaccess file to the WordPress admin area beefs up the security of your WordPress installation.

You can also use .htaccess files in other directories of the WordPress installation, or even in the root directory to fine tune your WordPress installation security.  Still it is very important to install the latest version of WordPress and plugins, irrelevant of the extra layers of security you add to your WordPress installation. Acunetix can help you keep up to date and secure your WordPress blog or website.  It will also alert you if you are running an old version of WordPress, or when a new version of a plugin that you are using is available.

Related blog article:


Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.