How to Password Protect WordPress Admin (or Any) Apache Directory

in apache, security, wordpress

If you are running WordPress, it’s a good idea to lock down the WordPress admin. Sure, it’s password protected already. But you can (and should) add some extra security to lessen your vulnerability to any newly discovered PHP or WordPress security bugs.

Background

We recently enhanced our own WordPress security and added an extra layer of authentication. Other sites like Mashable do the same thing: Mashable WordPress Admin.

We found lot’s of web articles that show you how to do this. But we didn’t like their methods. They all use .htaccess, but we think it’s cleaner and clearer to put the authorization in the Apache config file for yours site. Also, the Apache docs recommend against using .htaccess:

You should avoid using .htaccess files completely if you have access to httpd main server config file. Using .htaccess files slows down your Apache http server. Any directive that you can include in a .htaccess file is better set in a Directory block, as it will have the same effect with better performance.

So here is how we did it. And these instructions will be helpful for locking down any Apache directory, even if you aren’t running WordPress.

How to Password Protect WordPress Admin (or Any) Apache Directory

First, you need to create a password file that contains user(s) and password(s).

Note that the passwords must be encrypted. You can use this site to encrypt the password(s): HTACCESS Tools – HTPASSWD Generateor

Create a new file and put it somewhere outside of the web root. We put ours in a file called “passwords” in this directory: /home/putYourUserNameHere/.htpasswds/public_html/wp-admin/

Put the user names and encrypted passwords in the file, separated by a colon. If you are including more than one user, put each user on a separate line:

some_user_name:$apr1$.TDNi1lH$4Q8eciJYOw0w//Dgr8YaD/
another_user_name:$apr1$760eN1Rw$krIuuPpceOIcQSak4tmqG1

After you create this file, add the following to your Apache config file:

        # Block access to wp admin
        <Files wp-login.php>
                AuthName "Admins Only"
                AuthUserFile /home/putYourUserNameHere/.htpasswds/public_html/wp-admin/passwords
                AuthGroupFile /dev/null
                AuthType basic
                require valid-user
        </Files>
        <Location /wp-admin/>
                AuthName "Admins Only"
                AuthUserFile /home/putYourUserNameHere/.htpasswds/public_html/wp-admin/passwords
                AuthGroupFile /dev/null
                AuthType basic
                require valid-user
        </Location>

And that’s it.

Note that this locks down both the wp-admin and the login page itself. And, it only works if you have access to the Apache config file. If you don’t, this site offers some alternatives:
www.wpbeginner.com/wp-tutorials/how-to-password-protect-your-wordpress-admin-wp-admin-directory/.

Additional Tweak to Fix WordPress Ajax Functionality

The lock down method above may break some WordPress Ajax functionality. If you are using that functionality and it breaks, you can fix it by adding this to your Apache config file:

<Files admin-ajax.php>
    Order allow,deny
    Allow from all
    Satisfy any 
</Files>

Comments on this entry are closed.

Previous post:

Next post: