Password Protecting WordPress wp-admin Folder

Protecting wp-admin folder with HTTP authentication adds an additional protection layer for your server. Password protecting the admin area makes it harder to brute-force access (it’s also possible to password protect only wp-login.php).

For hardening the wp-admin folder, create a .htpasswds file for storing the password of the additional authentication (for creating the file manually, you can use this htpasswds generator for example).

Create a .htaccess file to the wp-admin folder. Note that password protecting the whole wp-admin folder breaks any code that uses ajax on front-end, therefore make sure to allow /wp-admin/admin-ajax.

The content of the .htaccess file:

AuthUserFile /path/to/.htpasswd
AuthType basic
AuthName “Restricted”
require valid-user 

<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any