Use .htaccess to protect your WordPress admin area.
You can either use cPanel to do this, or you can upload your own htaccess and htpasswd files. We’ll review both ways in this article.
The cPanel method
This extremely easy, so let’s go over it first.
Obviously, you’ll need to login to your cPanel account.
Once logged in, locate the icon labelled “Directory Privacy” and click it. Navigate to your wp-admin folder by clicking on the folder icons (and not the directory names) until you see your wp-admin directory. Once you see the wp-admin directory, click on it’s name. If your wordpress install is in the public_html directory of your account, you should see a page with a heading like this:
Set permissions for “/home/username/public_html/wp-admin”.
You’ll have to select the checkbox next to: “Password protect this directory.”
Then you’ll have to provide a name – this can be anything you want, I use “admin area” or “sorry hackers” depending on whether it’s a personal or business site. This will be the name on the dialog box that pops up and prompts you for your username and password when you visit your admin area.
Click save.
You should see a screen with a message similar too:
Success: The access permissions for “/home/username/public_html/wp-admin” have been set.
Plus a link in blue underneath this saying “Go Back”. Click “Go Back”.
Now you can enter the username and password you wish to use for this login. Click save again. You should see another message:
Success: The user “user” now has the password “password”.
And tada! Like magic, your wp-admin area is now doubly protected.
Manual method
Ok, now you can also manually do this if you do not have cPanel on your account or if you are like us at EZP here and you just happen to live on the command line. First thing you need to do is fire up this site: http://www.htaccesstools.com/htpasswd-generator/ (or find where your htpasswd binary is and use that, but if you know about the htpasswd binary you probably don’t need to read this article!)
Plug in the username and password you want then click the “Create .htpasswd file” button. This will generate the line you need for your .htpasswd file. Fire up notepad or whatever text editor you use and copy the generated line into that file. Name it “passwd” (without the quotes!), save it & upload it to your account somewhere outside the webroot. In the theme of this example, I would put it somewhere like /home/username/.htpasswds/public_html/wp-admin/passwd.
Next, fire up your text editor once more. This time you’ll want to have the following in the file:
AuthName "Admin Area" AuthUserFile "/home/username/.htpasswds/public_html/wp-admin/passwd" AuthType Basic require valid-user
Save the file and name it “.htaccess” (again without the quotes!). Upload it to the wp-admin directory, in this example that would be /home/username/public_html/wp-admin.
And that is all you need to do!
A second method is to restrict access to the wp-admin area to your IP only. This is a great method if you have a fairly static IP for your workstation and are comfortable updating your htaccess file once in a while when your IP does change. Simply add this line to your primary wordpress .htaccess file in your webroot, I put it at the top of the file.
<Files wp-login.php> order deny,allow Deny from all allow from 192.168.5.1 </Files>
NOTE – if you experience a “Too many redirects” error, you need to edit the .htaccess file in the root of your wordpress install (again, I ssh to the account and use vi, feel free to download the .htaccess file to your workstation and use notepad or sublime, textmate or whatever you wish). Keeping with the theme of this guide, the .htaccess file you want would be located in “/home/username/public_html/”. Simply add this line to it:
ErrorDocument 401 default
And save the file. This should fix the issue.