Protecting the WordPress wp-admin Folder
In the past WordPress was hackable due to a security hole in the back-end administration, i.e. through
wp-admin. Although the back end has been improved a lot since then, it is still a good idea to protect your wp-admin folder from unauthorized access.
There are actually two simple actions you can take in order to make your
wp-admin folder more secure, and I suggest you take both:
1. Password-protect your wp-admin folder
In addition to the admin account you have when you install WordPress, it is safer that you password-protect
wp-admin folder using an .htaccess file (assuming that you are hosting your website/blog on an Apache web server).
Nowadays most hosts allow you to easily password-protect any folder you want through an intuitive web interface. If your host is using CPanel, the interface should look like this:
The rest of the process should be easy with all the written directions. If you, however, still find it confusing, there’s a video tutorial that you might want to take a look. That video clip should be available in your CPanel too:
If for some reasons you can not use the tool provided by CPanel or you do not have CPanel at all, please read this comprehensive guide to manually password-protect the
wp-admin folder. Whichever approach you choose, a new .htaccess file will then be created in your
Note: There is one major drawback with this method, that is your normal visitors will also be prompted to provide the same pair of username/password you just choose when they fail to comment or when they login or signup. WordPress causes this issues because it requests for media files inside the
wp-admin folder. To fix this, just add the following lines to your newly created
<FilesMatch "\.(css|js|jpg|jpeg|gif|png)$"> Order Allow,Deny Allow from All Satisfy Any </FilesMatch> <Files admin-ajax.php> Order Allow,Deny Allow from All Satisfy Any </Files>
(More information and example uses of Files and FilesMatch can be found here.) Now you should only be prompted for a username and password when you visit
2. Blocking access by IP addresses
Another effective way to protect your
wp-admin folder is to limit access to it based on some whitelisted IP addresses. Again you would need an
.htaccess file to make this happen. Using your web host’s file manager or an FTP client, create a new
.htaccess file with the following contents:
order allow,deny deny from all allow from your.ip.address.here
and then put it in the
wp-admin folder. As you might have guessed, you will need a static IP address for this to work as expected. Otherwise, you will have to change
your.ip.address.here to your dynamic IP address, which might not be accurate all the time.
If you believe that there are some hacking attempts coming from certain IP address ranges (check the server’s log), it is recommended that you deny requests from those IP address ranges only, and allow requests from all, like so:
order allow,deny deny from 123.24.131. deny from 220.127.116.11/20 allow from all
A more detailed explanation of the Order directive in an
.htaccess file can be found here if you are interested.
Now that you have protected your
wp-admin folder, it’s a good idea that you harden other portions of WordPress, too. Stay safe!