How to protect your WordPress login with an additional password
By default, the WordPress login is of course protected with access data. Most open with their browser yourdomain.de/wp-admin/ and the well-known WordPress login page appears.
In our big article about WordPress security, we explained, among other things, that you should change the default login URL. Otherwise, any attacker will immediately know your login URL, since this is the same for all WordPress installations by default: /wp-admin/.
Makes sense at first, because otherwise you wouldn’t know where to log in. However, it would be desirable if you could set this during the WordPress installation.
However, this article is about how to manually protect the WordPress login page with an additional password.
A so-called directory protection can be created directly in the administration area of many hosters. Sometimes it doesn’t work, however, or the hoster doesn’t offer something like this with a mouse click setting. In this case you have to create a directory protection manually. Here we show you how to do it.
These instructions refer to the so-called Basic Auth Method for Apache Server. This means that these instructions do not work for IIS servers.
You need access to your web server’s file system for this tutorial. For example, use an FTP program (SFTP would be better) or shell access.
Enough introduction, let’s go!
Create htpasswds file
First create a .htpasswds file. This file contains the username-password combination for the additional new access data.
Since this needs to be converted into a specific format, we recommend a generator like this one.
Enter the desired username and password there. At this point it should be mentioned again that this username/password combination should be different from the login to the WordPress backend. Otherwise it doesn’t make any sense.
Then click Create .htpasswd file.
A line of text will appear. This line consists of the selected user name, a colon and the encrypted password.
You now have to create a new txt file with a text editor. Copy said line of text into the new file and save the file as .htpasswd away.
danger: it can happen that your operating system no longer shows the file in the file window. By default, files beginning with a period are made invisible. In that case, you must perform file operations using a terminal or shell. Or you have to adjust the view settings of your file window (Windows Explorer or Mac OS Finder) so that invisible files are also displayed.
You can also create additional access data. For example for a colleague. Then you can simply use the generator to generate additional access data and copy it into the file. Make sure to copy only one username/password combination per line into the .htpasswds file.
Upload htpasswds file to server
Now this .htpasswds file needs to be uploaded to your web server. For example with your FTP program.
It is best to save the file outside of the root directory of the WordPress installation.
In this example, that would be straight to the root of the server: /.htpasswds
create htaccess file
The .htpasswds file alone does not activate the additional password query.
You must first create an .htaccess file in the directory you want to protect.
That means we create another txt file.
Then add the following code there:
AuthName "Admins Only" AuthUserFile /absoluter/pfad/zur/.htpasswds AuthGroupFile /dev/null AuthType basic require user ihr-benutzername
You have to adapt the bold highlighted path or user name in the above code.
at your username you need to enter the username you created for the .htpasswd file above.
You still need to be on the line that starts with AuthUserFile starts adjusting the absolute path to the .htpasswds file.
Save this file with the name .htaccess away. Load them into the /wp-admin Directory of your WordPress installation.
Find out the absolute path to the htpasswds file
The path to the .htpasswds file cannot be a URL path. It must be an absolute file path on the web server. If you know the structure of the absolute paths on your server, then you already know what has to be entered there. Otherwise you have to find out the absolute path.
Above, I copied the .htpasswds file to the root of the server. For the FTP client this is: /.htpasswds
However, the absolute path to this file is /is/htdocs/vj1015323_S748JFH65SS/.htpasswds.
Your absolute path will be different. This is different for each server. And that would be the path I put in the .htaccess file under AuthUserFile would have to enter.
Now how do you get the absolute path?
As a rule, the path should be visible in the administration interface of your web server. Often it is also in the log files of the server.
Alternatively, you can try to find out the structure of the path using a PHP script.
To do this, create a new text file and add the following line of code:
<?php echo getcwd(); ?>
For example, save this file as path.php.
Upload this file to the root of your WordPress installation using the FTP client.
Then call up the PHP file in your browser: yourdomain.de/path.php
Then the absolute path to the WordPress installation should appear in the browser.
However, you do not need the absolute path to the WordPress installation, but to the .htpasswds file. If the .htpasswds file is in the root directory, you now need to remove the directories to your WordPress installation from the path.
The browser gave me the following path to my WordPress installation:
In my FTP program I see that the WordPress installation is under /www/wordpress lies. So I have to www/wordpress remove from the absolute path. The absolute path to my root directory is therefore:
And the path to my htpasswds file is thus:
Accordingly, I enter the path:
I got a 404 error or a “Too many redirects” error.
Depending on how your server is configured, this can happen. In this case, open the .htaccess file from your WordPress root directory (not our new .htaccess file from the /wp-admin Directory).
Add the following code there over the existing WordPress codes:
ErrorDocument 401 default
Now the additional authentication should work for your WordPress admin panel.
How to fix admin ajax problem
If you protect your WordPress admin directory with an additional password, then the Ajax functions in the frontend will be disabled (if you use such a thing).
If you encounter such problems, try the following:
Open our new .htaccess file located in the folder /wp-admin (not the .htaccess file from the WordPress root directory!).
Add the following code to this file:
<Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files>
After that, the AJAX functionality should be restored.
I hope with this guide you were able to create additional directory protection for WordPress.
The issue of security should play an important role for every serious WordPress operator. At this point we recommend again our large two-part article about WordPress security.