• ARTICLES
SEARCH

How-To Geek

Protecting Your WordPress Admin Panel From Hackers With .htaccess

If you are using WordPress as the platform behind your blog or website you probably know that there have been a lot of security holes, not just in the software itself, but also in the plugins as well. In light of these problems, we’ll look at how to prevent hacking attempts by locking down your administration folder.

The Apache web server has a built-in mechanism that allows you to assign a required password for a folder, which is separate from your WordPress password.

Quick Blog Security Tips

Security is important enough that I felt it necessary to include some extra tips here. This is by no means a complete list, but you should look into them anyway.

  • Make sure you are running the latest version of WordPress and all your plugins.
  • You should consider subscribing to BlogSecurity.net, a blog that attempts to cover security news about blogging platforms.
  • Make sure that your file permissions are set correctly according to the WordPress guidelines.
  • Make sure you are using tough passwords for all accounts.
  • Make sure that you are backing up your entire WordPress installation and database.
  • Lock down your administration folder with .htaccess rules (covered here)

Assigning a Password to wp-admin Directory Manually

Create a file named .htaccess in your wp-admin directory, and add the following contents:

AuthName “Restricted Area”
AuthType Basic
AuthUserFile /var/full/web/path/.htpasswd
AuthGroupFile /dev/null
require valid-user

You’ll need to adjust the AuthUserFile line to use the full path to the .htpasswd file we’ll create in the next step. You can find the full path by using the pwd command from the shell prompt.

Next you’ll need to use the htpasswd command line utility to create the password file. I would also advise that you use a different user account and password than you use for your WordPress installation.

$ htpasswd -c .htpasswd myusername
New password:
Re-type new password:
Adding password for user myusername

You’ll want to make sure you are in the directory specified by AuthUserFile, and change “myusername” to something unique for your site. This will create a file with contents similar to the following:

myusername:aJztXHCknKJ3.

At this point you should be prompted for a password when you navigate to your WordPress administration panel. You’ll notice that “Restricted Area” is the text from the .htaccess file, which could be changed to anything else.

image

If you get a server error instead, you should probably remove the .htaccess file and start over.

Lastly, you should make sure that you remove write permissions to both files with the chmod command as one more layer of security.

chmod 444 .htaccess

chmod 444 .htpasswd

.htaccess Password File Generator

There’s a great tool from Dynamicdrive that will do all the hard work of creating the file for you. This is especially useful if you don’t have shell access to your server, because you can just upload the files via your FTP/SFTP client.

http://tools.dynamicdrive.com/password/

You should still make sure that you remove write access once the files are uploaded.

Lowell Heddings, better known online as the How-To Geek, spends all his free time bringing you fresh geekery on a daily basis. You can follow him on if you'd like.

  • Published 12/5/07

Comments (8)

  1. John

    This is great advice. It should be pointed out, however, that not everyone has access to create a .htaccess file with password. Many hosting services don’t give their users this kind of access.

  2. JasonS

    This may be a stupid question, I don’t know. I recently signed up for a new WordPress account. The blog is hosted on their server. I didn’t download anything or install it on my web server. So, is any of this necessary?

  3. John

    Do you mean WordPress.com? If so then you won’t be able to do this.

  4. Jake

    @JasonS: This refers to WordPress.org, which is the actual CMS software. You are thinking of WordPress.com, which is a free hosting service built around the WordPress.org CMS. So no. Most free blog hosts will not allow you to mess with .htaccess.

  5. john parsons

    Trying to set up a password protection with .htaccess, can find no clear instructions of correct path in AuthUserFile. Is the following style of path correct

    /c:/Program Files/Apache…..etc

    every tutorial gives examples such as
    /var/full/web/path/.htpasswd
    or
    /home/file/….

    which make no sense to me.

    Thanks

  6. john.s

    Examples like /var/path/.htpasswd are for Unix-like systems (Linux).

    This only works on Linux and Unix-like systems, it DOES NOT work on Windows.

  7. khokon

    is it possible in joomla?

  8. abhi

    Thanks for the good info, it wil protect WP

Get Free Articles in Your Inbox!

Join 134,000 newsletter readers

Email:

Go check your email!