If you are using WordPress as the platform behind your blog or website you probably know that there have been a lot of security holes, not just in the software itself, but also in the plugins as well. In light of these problems, we’ll look at how to prevent hacking attempts by locking down your administration folder.

The Apache web server has a built-in mechanism that allows you to assign a required password for a folder, which is separate from your WordPress password.

Quick Blog Security Tips

Security is important enough that I felt it necessary to include some extra tips here. This is by no means a complete list, but you should look into them anyway.

  • Make sure you are running the latest version of WordPress and all your plugins.
  • You should consider subscribing to BlogSecurity.net, a blog that attempts to cover security news about blogging platforms.
  • Make sure that your file permissions are set correctly according to the WordPress guidelines.
  • Make sure you are using tough passwords for all accounts.
  • Make sure that you are backing up your entire WordPress installation and database.
  • Lock down your administration folder with .htaccess rules (covered here)

Assigning a Password to wp-admin Directory Manually

Create a file named .htaccess in your wp-admin directory, and add the following contents:

AuthName “Restricted Area”
AuthType Basic
AuthUserFile /var/full/web/path/.htpasswd
AuthGroupFile /dev/null
require valid-user

You’ll need to adjust the AuthUserFile line to use the full path to the .htpasswd file we’ll create in the next step. You can find the full path by using the pwd command from the shell prompt.

Next you’ll need to use the htpasswd command line utility to create the password file. I would also advise that you use a different user account and password than you use for your WordPress installation.

$ htpasswd -c .htpasswd myusername
New password:
Re-type new password:
Adding password for user myusername

You’ll want to make sure you are in the directory specified by AuthUserFile, and change “myusername” to something unique for your site. This will create a file with contents similar to the following:


At this point you should be prompted for a password when you navigate to your WordPress administration panel. You’ll notice that “Restricted Area” is the text from the .htaccess file, which could be changed to anything else.

If you get a server error instead, you should probably remove the .htaccess file and start over.

Lastly, you should make sure that you remove write permissions to both files with the chmod command as one more layer of security.

chmod 444 .htaccess

chmod 444 .htpasswd

.htaccess Password File Generator

There’s a great tool from Dynamicdrive that will do all the hard work of creating the file for you. This is especially useful if you don’t have shell access to your server, because you can just upload the files via your FTP/SFTP client.


You should still make sure that you remove write access once the files are uploaded.

Profile Photo for Lowell Heddings Lowell Heddings
Lowell is the founder and CEO of How-To Geek. He’s been running the show since creating the site back in 2006. Over the last decade, Lowell has personally written more than 1000 articles which have been viewed by over 250 million people. Prior to starting How-To Geek, Lowell spent 15 years working in IT doing consulting, cybersecurity, database management, and programming work.
Read Full Bio »