How to Password Protect Your WordPress Admin (wp-admin) Directory: An Expert‘s Guide

With over 15 years of experience securing WordPress sites, I can tell you that adding a password to your wp-admin directory is a smart security move.

In this comprehensive guide, I‘ll provide insider tips to help you protect your website‘s control center from unauthorized access.

Why You Should Password Protect wp-admin

Your WordPress dashboard is the keys to your website‘s kingdom. It lets you:

• Publish and edit all site content
• Install plugins, themes, and custom code
• Access sensitive data and configs
• Adjust settings that impact the entire site

Without proper security, your wp-admin is vulnerable.

In fact, 64% of hacked WordPress sites are compromised through the admin side.

By adding a password, you create an extra barrier to entry. Bots and attackers will be stopped before they even reach your WordPress login.

I recommend protecting wp-admin on every site I work on. In 15+ years securing WordPress installs, I‘ve seen first-hand how much damage unprotected admin areas can cause.

Don‘t wait until it‘s too late! Follow my guide to learn how to password protect wp-admin.

Method 1: Use cPanel Directory Privacy (Easiest)

If your WordPress site is hosted on a cPanel server, the quickest way to password protect wp-admin is using cPanel‘s directory privacy feature.

Here are the steps:

1. Log in to your cPanel dashboard and go to Files > Directory Privacy
2. Click your site‘s public_html folder
3. Open the folder with your domain name
4. Click Edit next to the wp-admin folder
5. Check Password protect this directory and click Save

You‘ll then be asked to create a username and password.

I recommend using a password manager to generate a strong, unique password.

Store this credential safely, as you‘ll need it to access wp-admin going forward.

Now when anyone tries to access your site‘s wp-admin, they‘ll see:

This prevents brute force attacks and blocks entry to bots, scrapers, and other baddies.

Here‘s a visual guide to the cPanel steps:

The directory privacy method works great for most sites. But sometimes it can cause issues…

Troubleshooting Common Errors

Adding password protection to wp-admin may break functionality like:

• Ajax requests
• WordPress REST API
• Page redirects

As an experienced WordPress engineer, I‘ve fixed these errors many times. Here are my top troubleshooting tips:

Ajax Not Working

If Ajax stops working, open .htaccess in /wp-admin/ and add:

<Files admin-ajax.php>
   Order allow,deny    
   Allow from all
   Satisfy any
</Files>

This excludes admin-ajax.php from authentication.

404 Errors or Too Many Redirects

These issues occur when wp-admin‘s .htaccess conflicts with the main .htaccess.

To fix, add this line to your main .htaccess before the WordPress section:

ErrorDocument 401 default

With a bit of tweaking, you can get smooth password protection.

Method 2: Manually Add .htaccess and .htpasswd (Advanced)

For full control over wp-admin security, you can manually add password protection.

However, I only recommend this if you‘re an experienced WordPress user comfortable editing code. A mistake could break your site.

Here are the steps to password protect wp-admin manually:

1. Using a text editor, create a file called .htaccess

2. Add this code, replacing yourusername with your desired username:

AuthName "Admins Only"
AuthUserFile /home/user/public_html/example.com/wp-admin/.htpasswd
AuthGroupFile /dev/null  
AuthType basic
require user yourusername

3. Save the .htaccess file

4. Next, generate an encrypted password with htpasswd generator

5. Copy the encrypted password into a new file called .htpasswd

It will look something like:

myusername:$apr1$oE1H2Xja$aW2dRnGCkBtnFkrjiLj7p0

6. Finally, upload both .htaccess and .htpasswd to /wp-admin/ via FTP

Now only your chosen username and password will grant access.

I walk through this manual process with all my WordPress consulting clients. Don‘t hesitate to reach out if you need help implementing it correctly.

Lock Down WordPress Beyond wp-admin

Password protecting your admin directory is vital. But you can take WordPress security even further with these tactics:

• Disable XML-RPC – This shuts down a common attack vector. Add this to .htaccess:

    # Disable XML-RPC
    <Files xmlrpc.php>
        order allow,deny
        deny from all
    </Files>

• Limit Login Attempts – Block brute force attacks. I recommend Limit Login Attempts plugin.

• Add Two-Factor Authentication – Require 2FA for all accounts. Popular plugins include Duo Security and Google Authenticator.

• Change wp-admin URL – Obscure the admin path from attackers. Easily done with Admin Custom Login.

• Monitor Activity – Security plugin Wordfence provides real-time monitoring and alerts.

As you can see, locking down wp-admin is just one piece of the WordPress security puzzle.

But combined with other best practices, it will help fully protect your site.

Conclusion: How to Password Protect wp-admin

I hope this guide provided an expert-level overview of how to properly password protect your WordPress admin directory.

Here‘s a quick recap of what we covered:

• Using cPanel directory privacy
• Manually adding .htaccess and .htpasswd files
• Fixing common errors like broken Ajax
• Extra WordPress security tactics beyond wp-admin

Securing your WordPress control panel is crucial. Don‘t leave this vital area unprotected!

Let me know if you have any other questions. I‘m always happy to help fellow webmasters secure their WordPress sites.