Protecting Your WordPress Admin with htaccess

Last Updated: February 7, 2015 | Reading Time: 2 minutes

Everyone can easily guess how to enter your WordPress Admin Dashboard, yes by default it’s Someone with evil-minded can easily target that login url using a brute-force software to try every username and password combination, that’s why we should never use a word based easy-guess password.

One of the basic protection is to use .htaccess, I’ll show you how to do it.

Creating .htpasswd

First of all, create locally a file named .htpasswd, then generate a username and encrypted password using .htpasswd generator. Copy the result and paste into your newly created file.


Then upload the file into your server, you can put it somewhere inside or outside public_html folder. In me case I put it into /home/pupung/

Creating .htaccess

Next step is to create .htaccess file, create .htaccess file with the same way you did on .htaccess, here’s my code:
ErrorDocument 401 “Denied”
ErrorDocument 403 “Denied”

# Allow plugin access to admin-ajax.php
# around password protection

Order allow,deny
Allow from all
Satisfy any

AuthType Basic
AuthName “Admin Only”
AuthUserFile /home/pupung/.htpasswd
Require valid-user

and upload it to wp-admin folder.

You can test it by visiting your admin URL and you will be prompted by a dialog box requested username and password.


Protecting wp-login.php

One more thing to do is protecting wp-login.php which is reside inside your root instalation of WordPress. I use the code below to protect it, just add after your WordPress’ .htaccess lines.

AuthName “Login Required”
AuthType Basic
AuthUserFile /home/pupung/.htpasswd
Require valid-user


Well done, now your wp-admin protected. Actually there are few more tricks how to protect your WordPress instalation, I’ll share it in another post. Thanks for reading.

Show 1 Comment

1 Comment

Any idea? Fill the comment below

This site uses Akismet to reduce spam. Learn how your comment data is processed.