HOWTO: Harden your WordPress wp-admin using password protection

Though wp-admin is already secured through login/password authentication, this post will examine to add an additional layer of security.

For the purpose of second layer security htpasswds file will be used.

Create htpasswds file

Use htpasswd command in Linux or OSX to create a htpasswd file. The command to execute  is as below

$ htpasswd -c .htpasswd mydemouser 
New password: 
Re-type new password: 
Adding password for user mydemouser

A file .htpasswd is created in the local directory

$ cat .htpasswd

Changes on server hosting WordPress site

1. Copy the .htpasswd file to a directory that’s outside the wp-admin directory

Suggested Directory: /home10/mydemouser/.htpasswds/public_html/wp-admin/passwd/

Change the directory as per your site deployment.

2. Create a .htaccess file in ~/public_html/wp-admin directory and include following


AuthName "Restricted Access"
AuthUserFile /home10/mydemouser/.htpasswds/public_html/wp-admin/passwd/.htpasswd
AuthGroupFile /dev/null
AuthType basic
require user mydemouser

3. Access wp-admin page and confirm an authentication popup window appear. If the page fails with too many redirects error then proceed with the next step.

Stop too many redirects error

4. Edit the .htaccess under ~/public_html and add the following line before WordPress rules start

ErrorDocument 401 default

That’s it – double layer authentication should now be active.

How to fix Admin Ajax issue

If the wp-admin is password protected then it will break the ajax functionality in the front-end ( if it is been used). To fix this issue follow the steps below

1. Edit the .htaccess file in ~/public_html/wp_admin folder and add the following code on the file.

<Files admin-ajax.php>
     Order allow,deny
     Allow from all
     Satisfy any

Leave a Reply

Your email address will not be published. Required fields are marked *