Securing Your WordPress WP-Admin Directory

Has your WordPress site been hacked or defaced?  That may be due to an insecure username or password that was setup for your wp-admin administrative portal.  BsnTech Networks has come up with a solution that will take care to secure your wordpress wp-admin directory by providing an additional layer of protection.

This protection will not work if you simply set the username and password for the password-protected directory to the same that your WordPress login is.  So take care to actually use a good username and password that isn’t guessed.  I recommend to not use a username like “admin” or “administrator” – but make it more personalized instead.  That will allow you to help prevent access to the wp-admin folder better.

With this method, we provide a pop-up box that asks for username and password if anyone attempts to access the wp-admin folder before it shows the actual login page. If this method is used in conjunction with the ConfigServer Firewall (CSF) instructions that I previously wrote about, there is a clear amount of security provided to your WordPress administrator portal.  CSF can be installed if you using a hosting provider that uses cPanel – or if you want this protection built-in, contact BsnTech Networks so we can host your website and make it much more secure than other providers out there.

So, if you at least want to help protect your WordPress wp-admin administrator folder more, you need to setup the folder as a password-protected directory – but also make it so that any other file within that folder can be accessed from components, plugins, and modules.  The instructions below are for web servers running Apache.

  1. Use the HTPASSWD generator to set a username and password.
  2. Create a file in the administrator folder named “.htpasswd”.  Note the dot in front of the file name.  Now copy and paste the line of code from the HTPASSWD generator into the file and save it.
  3. Create a “.htaccess” file in your administrator folder.  Again, note the dot in front of the file name.
  4. In the .htaccess file, use these lines and then save the file.
<Directory “<FULL_PATH_TO_ADMINISTRATOR_DIRECTORY>”>
     AuthName “Administration”
     AuthType Basic
     AuthUserFile <FULL_PATH_TO_HTPASSWD_FILE>
     require valid-user
</Directory>

<Directory “<FULL_PATH_TO_ADMINISTRATOR_DIRECTORY>/*/*”>
     Satisfy-any
</Directory>

<Files “admin-ajax.php” >
    Order allow,deny
    Allow from all
    Satisfy any
</Files>

Here is the information on what each of the lines above mean.  First, you need to know your full path on your web hosting provider and fill that in to the “FULL_PATH_TO_ADMINISTRATOR_DIRECTORY”.  So as an example, if you login to your web hosting account and see that your account is in the /customer/7828374/home/public_html folder – and you have WordPress installed right in your main directory, that “FULL_PATH_TO_ADMINISTRATOR_DIRECTORY” should look like this:

/customer/7828374/home/public_html/wp-admin

Next – AuthName “Administration”.  When the pop-up box comes up asking for username and password, it will show “Administration” in the popup box

AuthType Basic – This indicates that it is a basic authentication type against an Apache web server and to show the pop-up box.

AuthUserFile <FULL_PATH_TO_HTPASSWD_FILE> – This points to the .htpasswd file that you previously created that has the username and password in it.  As an example, if WordPress is installed in the root hosting directory and your hosting directory is /customer/7828374/home/public_html, that <FULL_PATH_TO_HTPASSWD_FILE> should be set to:

/customer/7828374/home/public_html/wp-admin/.htpasswd

require valid-user – Just that.  It means that the username and password that is in the .htpasswd file must be exactly matched to access the page.

Now, there is a second directory in there – “FULL_PATH_TO_ADMINISTRATOR_DIRECTORY/*/*” with a “Satisfy-any” clause.  This tells the server that anyone can access any sub-directory under the wp-admin folder and no password is required.  That is what allows other plugins for WordPress to work if they are referenced from within the wp-admin folder.  Notice the “/*/*” in the directory – that is the wildcard path that ensures that they are at least going down to another sub-directory in the wp-admin administrator directory.  If that is left out, then the WordPress administrative login page will not be protected.

Finally, there is another group of lines that start with <Files> and ends with </Files>  With WordPress, there is an AJAX file that many plugins need to use.  Those few lines ensure that the file can be accessed – but it has to be set exactly as noted above since it is right in the wp-admin folder and not in a subdirectory.

Do note that the above instructions will provide a second layer of security by protecting the WordPress administrator directory – but it still must be used in conjunction with a good username and password for the actual administrator login for WordPress.

Finally, let’s take a total look at the .htaccess file (again, should be placed in the administrator folder for WordPress) using the example /customer/7828374/home/public_html as the web hosting root folder:

<Directory “/customer/7828374/home/public_html/wp-admin”>
     AuthName “Administration”
     AuthType Basic
     AuthUserFile /customer/7828374/home/public_html/wp-admin/.htpasswd
     require valid-user
</Directory>

<Directory “/customer/7828374/home/public_html/wp-admin/*/*”>
     Satisfy-any
</Directory>

<Files “admin-ajax.php” >
     Order allow,deny
     Allow from all
     Satisfy any
</Files>