Password Protecting WordPress wp-admin Folder

Pro­tect­ing wp-admin fold­er with HTTP authen­ti­ca­tion adds an addi­tion­al pro­tec­tion lay­er for your serv­er. Pass­word pro­tect­ing the admin area makes it hard­er to brute-force access (it’s also pos­si­ble to pass­word pro­tect only wp-login.php).

For hard­en­ing the wp-admin fold­er, cre­ate a .htpass­wds file for stor­ing the pass­word of the addi­tion­al authen­ti­ca­tion (for cre­at­ing the file man­u­al­ly, you can use this htpass­wds gen­er­a­tor for exam­ple).

Cre­ate a .htac­cess file to the wp-admin fold­er. Note that pass­word pro­tect­ing the whole wp-admin fold­er breaks any code that uses ajax on front-end, there­fore make sure to allow /wp-admin/ad­min-ajax.

The con­tent of the .htac­cess file:

AuthUser­File /path/to/.htpasswd
AuthType basic
Auth­Name “Restrict­ed”
require valid-user

<Files admin-ajax.php>
Order allow,deny
Allow from all
Sat­is­fy any
</Files>