Password or IP address to protect the wp-admin directory of your WordPress blog (and allow admin-ajax.php)

The wp-admin folder is the most important folder in a wordpress installation. It mainly contains code to control the Dashboard and so on. There is an important file admin-ajax.php that needs to be used for normal blogging functions, so simply blocking the entire wp-admin may damage some normal functions.

I’ve been getting some email alerts the last few days because I installed a plugin called Limit Login Attempts. This plug-in can prohibit the IP in the case of too many login attempts in the background, which can effectively avoid brute force attempts to crack the password Bruteforce.

I don’t feel safe enough, so I added wp-admin to IP whitelist access allow list + password protection, so it’s foolproof.

Allow admin-ajax.php in .htaccess

We can specify access rules in the .htaccess file, which can be placed in the website root directory or in the wp-admin folder of wordpress . We have to whitelist admin-ajax.php first, which we can do by:

 # Put in /wp-admin folder <Files /admin-ajax.php> Order allow, deny Allow from all Satisfy any </Files>

IP address restriction in .htaccess

Then, we can set only certain IPs to access /wp-admin by doing the following (put it in the Files section mentioned above):

 <Limit GET POST PUT DELETE PATCH> order deny,allow deny from all allow from 12.34.56.78 </Limit>

We can also add ErrorDocument 401 default to the top of the .htaccess to display a 401 to the user when access is denied. If you only want to allow certain IPs to be able to access the /wp-admin folder (whitelist admin-ajax.php), here is the full source of the .htaccess:

 # Put in /wp-admin folder ErrorDocument 401 default  <Limit GET POST PUT DELETE PATCH> order deny,allow deny from all allow from 12.34.56.78 # Replace here with your whitelisted IP address, and specify multiple IP addresses separated by commas</Limit>  <Files /admin-ajax.php> Order allow, deny Allow from all Satisfy any </Files>

Folder password protection .htaccess (.htpasswd)

We can also set the username and password in the .htpasswd file. This file should be placed outside the website directory to reduce accidental visibility (for security it is best to place it in your home directory with appropriate access rights).

The password after the colon is the MD5 hash .

 # Each line specifies an account and password username:password_md5_hash

.htpasswd is a text file specifying a username and password (separated by colons) per line. Then we can specify password protection in .htaccess (full source of .htaccess and whitelist admin-ajax.php). AuthUserFile needs to provide the full path to the .htpasswd file:

 # Put in /wp-admin folder ErrorDocument 401 default  AuthType Basic AuthName "Restricted Area" AuthUserFile /home/user/.htpasswd require valid-user  <Files /admin-ajax.php> Order allow, deny Allow from all Satisfy any </Files>

Then, when accessing /wp-admin, you should see the authentication dialog pop up:

If the provided credentials (user password) are invalid, you should see the following message (401 Unauthorized):

unauthorized

This server cannot verify that you have access to the requested document. You provided incorrect credentials (eg, wrong password ), or your browser doesn’t understand how to provide the required credentials.

Apache/2.4.41 ( Ubuntu ) server at helloacm.com

We also need to test /wp-admin/admin-ajax.php to see if it is whitelisted – should return 400 Bad Request and content body “0”

English blog: Password Protect or IP Restriction on WordPress wp-admin Folder (htaccess and htpasswd)

This article has a total of 729 Chinese characters. Can you count them?

¥ Reward support

Scan the QR code and share this article to WeChat Moments