Password Protect or IP Restriction on WordPress wp-admin Folder (htaccess and htpasswd) | ninjasquad
wp-admin folder is the most important folder in a wordpress installation. It mainly contains the code for the Dashboard. However, there is an important file admin-ajax.php which is also necessary to send requests to backend via the wordpress UI. So simply blacklisting entire wp-admin folder may break the site functionalities.
I have been getting lots of warnings from the Plugin “Limit Login Attempts”:
Although, this plugin is sufficient in protecting your wordpress login dashboard from bruteforce attacks by lockout the incorrect attempts, but I feel it necessary to add one more extra protection.
Whitelisting admin-ajax.php in .htaccess
We can specify access rules in the .htaccess file is a hidden file at the root folder or wp-admin folder. But we have to first whitelist the admin-ajax.php and we can do it via the following:
# placing this at wp-admin folder <Files /admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files>
IP Restriction in .htaccess
Then, we can allow certain IPs to access /wp-admin only (whitelisting IP Addresses), via the following (place it the Files section mentioned above):
<Limit GET POST PUT DELETE PATCH> order deny,allow deny from all allow from 126.96.36.199 </Limit>
We could also add “ErrorDocument 401 default” at the top of the .htaccess so that 401 will be shown to user if access is denied. Here is the entire source of .htaccess if you want to allow only certain IPs to be able to access the /wp-admin folder (whitelisting admin-ajax.php):
# placing this at /wp-admin folder ErrorDocument 401 default <Limit GET POST PUT DELETE PATCH> order deny,allow deny from all allow from 188.8.131.52 # multiple whitelisted IP addresses separated by comma </Limit> <Files /admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files>
Password Protect the Folder in .htaccess (.htpasswd)
We can also set a username and password. The credentials are stored in .htpasswd file which should be placed outside the website directory to reduce the accidental visibility (place it at your home directory for safety and remember to set the corresponding file permissions).
The .htpasswd is a text file and each line specifies a username:password format. The password is the MD5 Hash of the password.
# each line is a user username:password_md5_hash
And then we can specify the password protection in .htaccess (complete source of .htaccess and whitelisting the admin-ajax.php): The AuthUserFile gives a complete path to .htpasswd credential file:
# placing this at /wp-admin folder ErrorDocument 401 default AuthType Basic AuthName "Restricted Area" AuthUserFile /home/user/.htpasswd require valid-user <Files /admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files>
Then, when visiting /wp-admin, you should see a authentication dialog that pops up:
If invalid credentials are provided, you should see the following message (401 Unauthorized):
This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn’t understand how to supply the credentials required.
Apache/2.4.41 (Ubuntu) Server at helloacm.com
We need to test /wp-admin/admin-ajax.php to see if is being whitelisted – that will return 400 Bad Request and a content body “0”
GD Star Rating