Back to Top

Protecting the WordPress wp-admin Folder

Previous Post:

Protecting the WordPress wp-admin Folder

In the past WordPress was hackable due to a security hole in the back-end administration, i.e. through wp-admin. Although the back end has been improved a lot since then, it is still a good idea to protect your wp-admin folder from unauthorized access.

There are actually two simple actions you can take in order to make your wp-admin folder more secure, and I suggest you take both:

1. Password-protect your wp-admin folder

In addition to the admin account you have when you install WordPress, it is safer that you password-protect wp-admin folder using an .htaccess file (assuming that you are hosting your website/blog on an Apache web server).

Nowadays most hosts allow you to easily password-protect any folder you want through an intuitive web interface. If your host is using CPanel, the interface should look like this:

Password Protect Folder

Password Protect Folder

The rest of the process should be easy with all the written directions. If you, however, still find it confusing, there’s a video tutorial that you might want to take a look. That video clip should be available in your CPanel too:

CPanel Video Tutorials

CPanel Video Tutorials

If for some reasons you can not use the tool provided by CPanel or you do not have CPanel at all, please read this comprehensive guide to manually password-protect the wp-admin folder. Whichever approach you choose, a new .htaccess file will then be created in your wp-admin folder.

Note: There is one major drawback with this method, that is your normal visitors will also be prompted to provide the same pair of username/password you just choose when they fail to comment or when they login or signup. WordPress causes this issues because it requests for media files inside the wp-admin folder. To fix this, just add the following lines to your newly created .htaccess file:

  1. <FilesMatch "\.(css|js|jpg|jpeg|gif|png)$">
  2. Order Allow,Deny
  3. Allow from All
  4. Satisfy Any
  5. </FilesMatch>
  6.  
  7. <Files admin-ajax.php>
  8. Order Allow,Deny
  9. Allow from All
  10. Satisfy Any
  11. </Files>
<FilesMatch "\.(css|js|jpg|jpeg|gif|png)$">
Order Allow,Deny
Allow from All
Satisfy Any
</FilesMatch>

<Files admin-ajax.php>
Order Allow,Deny
Allow from All
Satisfy Any
</Files>

(More information and example uses of Files and FilesMatch can be found here.) Now you should only be prompted for a username and password when you visit http://example.com/wp-admin. Neat.

2. Blocking access by IP addresses

Another effective way to protect your wp-admin folder is to limit access to it based on some whitelisted IP addresses. Again you would need an .htaccess file to make this happen. Using your web host’s file manager or an FTP client, create a new .htaccess file with the following contents:

  1. order allow,deny
  2. deny from all
  3. allow from your.ip.address.here
order allow,deny
deny from all
allow from your.ip.address.here

and then put it in the wp-admin folder. As you  might have guessed, you will need a static IP address for this to work as expected. Otherwise, you will have to change your.ip.address.here to your dynamic IP address, which might not be accurate all the time.

If you believe that there are some hacking attempts coming from certain IP address ranges (check the server’s log), it is recommended that you deny requests from those IP address ranges only, and allow requests from all, like so:

  1. order allow,deny
  2. deny from 123.24.131.
  3. deny from 65.49.70.0/20
  4. allow from all
order allow,deny
deny from 123.24.131.
deny from 65.49.70.0/20
allow from all

A more detailed explanation of the Order directive in an .htaccess file can be found here if you are interested.

Now that you have protected your wp-admin folder, it’s a good idea that you harden other portions of WordPress, too. Stay safe!

Print Article Trackback Trackback to this Article   Subscribe to Comments RSS Subscribe to Comments RSS
 Sponsor   Themes by Elegant Themes - Unlimited access to all themes for $39!

11 Opinions for Protecting the WordPress wp-admin Folder

  1. User's Gravatar
    1
    Kylemar April 4, 2011 at 8:54 pm – Permalink

    Hello, I tried to restrict access to wp-admin folder but now I can not access my admin page anymore, the server returns a 404 error page :(. Any idea?

  2. User's Gravatar
    4
    vitor August 17, 2011 at 9:06 am – Permalink

    Serious enthusiast on this website, quite a few your articles or blog posts have truly helped me out. Looking towards improvements!

  3. User's Gravatar
    5
    Bob Miller September 2, 2011 at 6:55 pm – Permalink

    Everybody can access my admin folder and I’m too scared to do the modification myself. I am guessing I should just outsource it or something, so that I don’t end up messing something up.

  4. User's Gravatar
    6
    Joseph Dean September 28, 2011 at 10:30 am – Permalink

    This is one of those duhh moments… never thought about adding that extra security to wp-admin folder with htaccess. Takes only a few minutes too. Thanks for the useful tutorial for adding that extra protection to wp.

  5. User's Gravatar
    7
    AkashArora December 23, 2011 at 11:25 pm – Permalink

    I was looking for some nice security tips for my new wordpress blog and i found there.. Thanks

  6. User's Gravatar
    8
    Kay January 11, 2012 at 3:21 pm – Permalink

    Thanks for the useful tips. I just changed my WP user and password to something really complicated, hope this will provide better protection.

  7. User's Gravatar
    9
    Ajnabii February 23, 2012 at 7:41 am – Permalink

    Hello Dear,
    Thanks for nice article, i have changed defualt admin username to somethin different, i have setuped wp-admin directory with password, and also i’m using some plugins for protect my blog :)

    Thanks for helping!

  8. User's Gravatar
    10
    Menti March 2, 2012 at 1:18 am – Permalink

    Thank you for this article …..it is usefull to me

  9. User's Gravatar
    11
    SL Marketer April 14, 2013 at 4:54 pm – Permalink

    Hi, Great tips. I wanted to know, whether I can limit access to my wp-admin folder by 2 3 IP Ranges. I’m now in a new home and this net connection changes my IP every time I connect, So I’m having problems with changing my IP every time.

Speak Up Your Mind!

An asterisk (*) indicates a required field and must be filled.




  • Web page and e-mail addresses turn into links automatically.
  • Wrap codes in: <code lang=""></code> or <pre lang="" extra="">
  • Lines and paragraphs break automatically.

Next Post: