In the dynamic realm of web development, establishing a secure and user-centric environment stands as a fundamental imperative. The amalgamation of WordPress, renowned for its robust backend capabilities, with the versatile frontend framework Feather.js, presents a compelling avenue for developers to implement sophisticated authentication and user management systems. This article delves into the significance of […]
Do you want to learn how to password-protect your WordPress admin directory?
Adding another layer of password protection to your WordPress admin directory can be a great way to improve your WordPress security.
In this article, you’ll learn how you can password-protect your wp-admin directory easily.
Why Password Protect Your WordPress Admin Directory?
By password-protecting your WordPress admin directory, you improve the security of the most important entry point to your WordPress website.
Your WordPress admin dashboard is the central hub of your site. It’s where you’ll publish posts and pages, customize your theme, install WordPress plugins, and more.
Often, when hackers try to get into your website, they’ll do it through the wp-admin screen. You can help to protect your website against potential attacks by using a secure password and limiting login attempts.
To be even more secure, you can also password-protect the wp-admin directory. Then when someone attempts to access your admin area, they’ll need to enter a username and password before they ever make it to the WordPress login screen.
With that said, let’s take a look at how you can password-protect your WordPress admin directory step by step.
The first method is recommended for most users, and you can use the quick links below to jump straight to the method you want to use.
Method 1: Password-Protect wp-admin Using Directory Privacy (Recommended)
The easiest way to password-protect your WordPress admin directory is by using your WordPress hosting provider’s Directory Privacy app.
First, you need to log in to your hosting account dashboard and click on the ‘Directory Privacy’ option in the Files section of your website’s advanced settings.
Note: Most web hosts using cPanel, like Bluehost, will have similar steps. However, your dashboard might be slightly different from our screenshots depending on your hosting provider.
This brings you to a screen that lists all of the different directories on your server. You need to find the folder that contains your website files.
For most website owners, this can be found by clicking on the ‘public_html’ folder.
This brings up all of the website files you’ve installed on your server.
Next, you’ll need to click on the folder with your website’s domain name.
In that folder, you’ll see a ‘wp-admin’ folder.
Instead of clicking the folder name, you’ll need to click the ‘Edit’ button next to that folder.
This brings you to a screen where you can turn on password protection.
Simply check the box that says ‘Password protect this directory’. If you like, you can also give your directory a name like ‘Admin Area’ to help you remember.
Once you’ve done that, you’ll need to click the ‘Save’ button.
This will take you to a page where the confirmation message will appear.
Now you’ll need to click the ‘Go Back’ button and you’ll be taken to a screen where you can create a user that will be able to access this directory.
You will be asked to enter a username and password, and then confirm the password. Make sure to note your username and password in a safe place, such as a password manager app.
Make sure you click the ‘Save’ button when you’ve done that.
Now, when someone tries to access your wp-admin directory, they will be prompted to enter the username and password you created above.
Method 2: Password-Protect wp-admin Using Code
You can also password-protect your WordPress admin directory manually. To do this you’ll need to create two files called .htpasswd and .htaccess.
Note: Adding any code to your website can be dangerous. Even a small mistake can cause major errors on your site. We only recommend this method for advanced users.
Creating the .htaccess File
First, open up your preferred text editor and name the new file .htaccess.
After that, you need to copy the following code snippet and add it to the file.
Make sure you change the ‘AuthUserFile’ path to the location where you’ll upload the .htpasswd file and change ‘yourusername’ to the username you want to use to log in.
Don’t forget to save the file when you’re finished.
Creating the .htpasswd File
Once you’ve done that, you need to create a .htpasswd file.
To do this, open up a text editor and create a file called .htpasswd. This file will list your username along with your password in an encrypted format.
The easiest way to generate the encrypted password is with a htpasswd generator.
Simply enter your username and password, select the encryption format, and click the ‘Create .htpasswd file’ button.
The htpasswd generator will display a line of text that you need to paste into your .htpasswd file. Make sure you save the file once you’ve done that.
Uploading .htaccess and .htpasswd to the wp-admin Directory
The last step is to upload both of the files you created to your website’s wp-admin folder.
You will need to connect to your WordPress hosting account using an FTP client or the online file manager tool provided by your hosting provider. For more details, see our beginner’s guide on how to use FTP to upload files to WordPress.
For this tutorial, we’ll use FileZilla because it’s free and works on both Mac and Windows.
Once you have connected to your website, you will see the files on your computer in the left window, and the files on your website in the right. On the left, you need to navigate to the location where you saved the .htaccess and .htpasswd files.
Then on the right, you need to go to the wp-admin directory for the website you wish to protect. Most users will need to double-click the ‘public_html’ folder, then the folder with their domain name, then the ‘wp-admin’ folder.
Now you can select the two files on the left and click ‘Upload’ from the right-click menu or simply drag the files onto the left window.
Now your ‘wp-admin’ directory will be password protected.
Troubleshooting wp-admin Password Protection
Depending on how your server and website are set up, there’s a chance you might run into errors. These errors can be fixed by carefully adding code to your .htaccess file.
Note: This is the .htaccess file located in your main website folder, not the one you uploaded to the ‘wp-admin’ folder. If you’re having trouble finding it, then see our guide on why you can’t find .htaccess and how to locate it.
Fixing the Ajax Not Working Error
One of the most common errors is that Ajax functionality may stop working on the front end of your site. If you have WordPress plugins that require Ajax, such as live Ajax search or Ajax contact forms, then you will notice that these plugins won’t work anymore.
To fix this, simply add the following code to the .htaccess file that’s located in your ‘wp-admin’ folder.
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>
The simplest way to fix them is to open up your main .htaccess file located in your website directory and add the following line of code before the WordPress rules.
ErrorDocument 401 default
We hope this article helped you learn how to password-protect your WordPress admin (wp-admin) directory. You may also want to see our expert picks of the best email marketing services for small businesses and our guide on how to get a free email domain.
If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.
Do you want to disable directory browsing in WordPress?
Directory browsing can put your site at risk by showing important information to hackers which can be used to exploit vulnerabilities in your site’s plugins, themes, or even your hosting server.
In this article, we will show you how you can disable directory browsing in WordPress.
What Does Disabling Directory Browsing in WordPress Do?
Every time someone visits your website, your web server will process that request.
Usually, the server delivers an index file to the visitor’s browser, such as index.html. However, if the server can’t find an index file, then it may show all the files and folders in the requested directory instead.
This is directory browsing, and it’s often enabled by default.
If you’ve ever visited a site and seen a list of files and folders instead of a webpage, then you’ve seen directory browsing in action.
The problem is that hackers can use directory browsing to see the files that make up your website, including all the themes and plugins that you’re using.
If any of these themes or plugins have known vulnerabilities, then hackers can use this knowledge to take control of your WordPress blog or website, steal your data, or perform other actions.
Attackers may also use directory browsing to look at the confidential information inside your files and folders. They might even copy your website’s contents, including content that you would usually charge for such as ebook downloads or online courses.
This is why it’s considered a best practice to disable directory browsing in WordPress.
How to Check is Directory Browsing is Enabled in WordPress
The easiest way to check whether directory browsing is currently enabled for your WordPress website is by simply visiting the /wp-includes/ folder link like this: https://example.com/wp-includes/.
You’ll want to replace www.example.com with your website’s URL.
If you get a 403 Forbidden or similar message, then directory browsing is already disabled on your WordPress website.
If you see a list of files and folders instead, then this means that directory browsing is enabled for your website.
Since this makes your website more vulnerable to attack, you’ll typically want to block directory browsing in WordPress.
How to Disable Directory Browsing in WordPress
To disable directory listing, you’ll need to add some code to your site’s .htaccess file.
To access the file, you’ll need an FTP client, or you can use the file manager app inside your WordPress hosting control panel.
After connecting to your site, simply open your website’s ‘public’ folder and find the .htaccess file. You can edit the .htaccess file by downloading it to your desktop and then opening it in a text editor like Notepad.
At the very bottom of the file, simply add the following code:
Options -Indexes
It will look something like this:
Once you’re done, save your .htaccess file and upload it back to your server using an FTP client.
That’s it. Now if you visit the same http://example.com/wp-includes/ URL, you’ll get a 403 Forbidden or similar message.
One of the biggest horrors a site owner can experience is having their site hacked. This causes delays in the business and exposes information (both yours and your customers’) that…
The security breaching incidents of WordPress is already on air. Two major security breaches of WordPress have already been reported in recent years. However, WordPress could become as secure as…
How can you determine the WordPress version of a site without accessing the CMS Backend? The most reliable method is to log in to the “wp-admin” area and check under…
We know the struggle of having 20 social media accounts, from personal to business ones, emails, sites, and so on. Especially nowadays, once you are logged in on your smartphone, you do not need to...
Do you want to remove the WordPress version number from your website?
Many believe that removing the WordPress version number from your website’s source code can prevent some common online attacks.
In this article, we’ll show you how to easily remove WordPress version number the right way.
Why Remove WordPress Version Number?
By default, WordPress leaves its footprints on your site for the sake of tracking. That is how we know that WordPress is the top website builder in the world.
However, sometimes this footprint might be a security leak on your site if you are not running the most updated version of WordPress. It provides the hacker with useful information by telling them which version you are running.
We recommend using the latest version of WordPress on all your websites so you don’t have to worry about this. However, if for some reason you are running an older version of WordPress, then you should definitely follow this tutorial.
It is quite difficult to remove all traces of which WordPress version you are using on your website. A sophisticated attack may still be able to find that information.
However, it will prevent automatic scanners and other less sophisticated attempts from guessing your WordPress version.
That being said, let’s take a look at some ways to easily remove version number from your WordPress website.
Method 1. Remove WordPress Version Number using Sucuri
This method is easier and recommended for all users.
Upon activation, the plugin will automatically hide WordPress version information. You can verify it by visiting Sucuri Security » Settings and switching to the Hardening tab.
Method 2. Manually Remove WordPress Version Information
This method doesn’t work as a new theme update will automatically replace the old template with the new file.
Another commonly recommended, but inefficient method is to put this code in your theme’s functions.php or site-specific plugin:
remove_action('wp_head', 'wp_generator');
This will only remove the information from the WordPress header. The version number will still be visible in your website’s RSS feeds.
The right way to remove WordPress version information is by disabling the function responsible for displaying it.
In order for you to completely remove your WordPress version number from both your head file and RSS feeds, you will need to add the following code to a site-specific plugin or code snippets plugin.
function wpbeginner_remove_version() {
return '';
}
add_filter('the_generator', 'wpbeginner_remove_version');
By adding this code, you will remove the WordPress version number from WordPress RSS feeds and your website’s head section.
Can You Completely Hide WordPress Version?
WordPress may still add the version information in various other places throughout your website. For instance, it is included as the query string in source code for CSS and JS files.
Removing all instances of WordPress version information can be time-consuming, complicated, and may not always work.
From a security perspective, removing the obvious generator tags can protect you from some very common attacks.
However, if someone is determined to break into your website, then hiding your WordPress version number does little to stop this.
You need to implement a proper WordPress security setup in place to make your website more secure. This adds layers of security around your website making it harder to hack into.
WordPress is a tool that was initially used by bloggers, but over the years, it has become a very popular website builder and is used by many website owners and companies. It has proven itself to be an excellent content managing platform. Its popularity is attributed to the ease with which it can be used […]