Back to Top

Protecting the WordPress wp-admin Folder

Previous Post:

Protecting the WordPress wp-admin Folder

In the past WordPress was hackable due to a security hole in the back-end administration, i.e. through wp-admin. Although the back end has been improved a lot since then, it is still a good idea to protect your wp-admin folder from unauthorized access.

There are actually two simple actions you can take in order to make your wp-admin folder more secure, and I suggest you take both:

1. Password-protect your wp-admin folder

In addition to the admin account you have when you install WordPress, it is safer that you password-protect wp-admin folder using an .htaccess file (assuming that you are hosting your website/blog on an Apache web server).

Nowadays most hosts allow you to easily password-protect any folder you want through an intuitive web interface. If your host is using CPanel, the interface should look like this:

Password Protect Folderwp-content/uploads/2011/03/a151-password-protect-300x67.gif 300w" sizes="(max-width: 515px) 100vw, 515px" />

Password Protect Folder

The rest of the process should be easy with all the written directions. If you, however, still find it confusing, there’s a video tutorial that you might want to take a look. That video clip should be available in your CPanel too:

CPanel Video Tutorialswp-content/uploads/2011/03/a151-video-tutorial-300x67.gif 300w" sizes="(max-width: 515px) 100vw, 515px" />

CPanel Video Tutorials

If for some reasons you can not use the tool provided by CPanel or you do not have CPanel at all, please read this comprehensive guide to manually password-protect the wp-admin folder. Whichever approach you choose, a new .htaccess file will then be created in your wp-admin folder.

Note: There is one major drawback with this method, that is your normal visitors will also be prompted to provide the same pair of username/password you just choose when they fail to comment or when they login or signup. WordPress causes this issues because it requests for media files inside the wp-admin folder. To fix this, just add the following lines to your newly created .htaccess file:

<FilesMatch "\.(css|js|jpg|jpeg|gif|png)$">
Order Allow,Deny
Allow from All
Satisfy Any

<Files admin-ajax.php>
Order Allow,Deny
Allow from All
Satisfy Any

(More information and example uses of Files and FilesMatch can be found here.) Now you should only be prompted for a username and password when you visit Neat.

2. Blocking access by IP addresses

Another effective way to protect your wp-admin folder is to limit access to it based on some whitelisted IP addresses. Again you would need an .htaccess file to make this happen. Using your web host’s file manager or an FTP client, create a new .htaccess file with the following contents:

order allow,deny
deny from all
allow from

and then put it in the wp-admin folder. As you  might have guessed, you will need a static IP address for this to work as expected. Otherwise, you will have to change to your dynamic IP address, which might not be accurate all the time.

If you believe that there are some hacking attempts coming from certain IP address ranges (check the server’s log), it is recommended that you deny requests from those IP address ranges only, and allow requests from all, like so:

order allow,deny
deny from 123.24.131.
deny from
allow from all

A more detailed explanation of the Order directive in an .htaccess file can be found here if you are interested.

Now that you have protected your wp-admin folder, it’s a good idea that you harden other portions of WordPress, too. Stay safe!

Take Social Sharing to
the Next Level with Monarch!

Take Social Sharing to the Next Level with Monarch!
Print Article Trackback Trackback to this Article   Subscribe to Comments RSS Subscribe to Comments RSS

12 Opinions for Protecting the WordPress wp-admin Folder

  1. User's Gravatar
    Kylemar April 4, 2011 at 8:54 pm – Permalink

    Hello, I tried to restrict access to wp-admin folder but now I can not access my admin page anymore, the server returns a 404 error page :(. Any idea?

    • User's Gravatar
      Jeffrey April 5, 2011 at 10:27 pm – Permalink

      I have the same problem 🙁

  2. User's Gravatar
    vitor August 17, 2011 at 9:06 am – Permalink

    Serious enthusiast on this website, quite a few your articles or blog posts have truly helped me out. Looking towards improvements!

  3. User's Gravatar
    Bob Miller September 2, 2011 at 6:55 pm – Permalink

    Everybody can access my admin folder and I’m too scared to do the modification myself. I am guessing I should just outsource it or something, so that I don’t end up messing something up.

  4. User's Gravatar
    Joseph Dean September 28, 2011 at 10:30 am – Permalink

    This is one of those duhh moments… never thought about adding that extra security to wp-admin folder with htaccess. Takes only a few minutes too. Thanks for the useful tutorial for adding that extra protection to wp.

  5. User's Gravatar
    AkashArora December 23, 2011 at 11:25 pm – Permalink

    I was looking for some nice security tips for my new wordpress blog and i found there.. Thanks

  6. User's Gravatar
    Kay January 11, 2012 at 3:21 pm – Permalink

    Thanks for the useful tips. I just changed my WP user and password to something really complicated, hope this will provide better protection.

  7. User's Gravatar
    Ajnabii February 23, 2012 at 7:41 am – Permalink

    Hello Dear,
    Thanks for nice article, i have changed defualt admin username to somethin different, i have setuped wp-admin directory with password, and also i’m using some plugins for protect my blog 🙂

    Thanks for helping!

  8. User's Gravatar
    Menti March 2, 2012 at 1:18 am – Permalink

    Thank you for this article … is usefull to me

  9. User's Gravatar
    SL Marketer April 14, 2013 at 4:54 pm – Permalink

    Hi, Great tips. I wanted to know, whether I can limit access to my wp-admin folder by 2 3 IP Ranges. I’m now in a new home and this net connection changes my IP every time I connect, So I’m having problems with changing my IP every time.

  10. User's Gravatar
    indunil December 11, 2016 at 10:27 pm – Permalink

Speak Up Your Mind!

An asterisk (*) indicates a required field and must be filled.

  • Web page and e-mail addresses turn into links automatically.
  • Wrap codes in: <code lang=""></code> or <pre lang="" extra="">
  • Lines and paragraphs break automatically.

Next Post: