htaccess Files and WordPress Security
Submitted by Robert Abela on August 1, 2011 - 2:27 pm 71 CommentsAdding server-side protection around the wordPress wp-admin folder is like adding a second layer of protection to your WordPress admin area, login page and files. Server-side protection can be added by adding a .htaccess file (directory level configuration file) in your wp-admin WordPress sub directory.
Most common attacks against WordPress have been brute force attacks, or sending of specially crafted HTTP requests to WordPress files in wp-admin, therefore it is very important to add an extra layer of protection to the WordPress wp-admin section. By adding the .htaccess file to the wp-admin directory, you are safe guarding your WordPress blog or website from such attacks.
Password protect wp-admin directory with a .htaccess file
With the .htaccess file you can configure the server to password protect all the files in the wp-admin folder. Therefore before accessing WordPress files, such as the admin area login page you have to first authenticate against the server itself, using HTTP authentication. By password protecting the WordPress admin area, if a malicious user tries to access your WordPress admin area login page to launch a brute-force attack, or any other file which resides in the wp-admin directory to send a harmful crafted HTTP request, he is greeted with a server side login prompt and no direct access to WordPress files is possible.
To password protect your WordPress admin area, you have to create a .htpasswd file. A .htpasswd file contains a list of users and passwords used access the wp-admin file. The credentials to access wp-admin, should be different than those you use to login to your WordPress admin area. Once the .htpasswd file has been created, you can then create a .htaccess file and populate it with the below directives:
AuthUserFile /etc/httpd/.htpasswd
AuthType Basic
AuthName “restricted”
Order Deny,Allow
Deny from all
Require valid-user
Satisfy any
Note: the AuthUserFile directive should contain the path of where the .htpasswd file is stored on the server or on your hosting space.
Further protection of wp-admin folder with htaccess file
If you always access the blog from a fixed IP, you can also restrict access to the WordPress admin area by IP. To do so, simply add the below directive to the .htaccess file, where xxx.xxx.xxx.xxx is your IP. It is possible to add more IP’s to the list at a later stage by editing the existing .htaccess file.
allow from xxx.xxx.xxx.xxx
You can also block a spammer, bot or malicious user from accessing your blog with the .htaccess file. To do so, simply add the below directive to the .htaccess file where xxx.xxx.xxx.xxx is the IP to be blocked. It is possible to add and remove IP’s to the list at a later stage by editing the existing .htacess file.
deny from xxx.xxx.xxx.xxx
There are many other htaccess directives which you can use to ensure your WordPress security and protect your site or blog from malicious attacks — such as denying directory listing etc. You can read more about .htaccess directives from the Apache Tutorial: .htaccess files. As you can see, by adding a .htaccess file to the WordPress admin area beefs up the security of your WordPress installation.
You can also use .htaccess files in other directories of the WordPress installation, or even in the root directory to fine tune your WordPress installation security. Still it is very important to install the latest version of WordPress and plugins, irrelevant of the extra layers of security you add to your WordPress installation. WebsiteDefender is an online security service that can help you keep up to date and secure your WordPress blog or website. It will also alert you when a new version of WordPress, or a plugin you are using is available.
Related blog article:
2 Trackbacks/Pingbacks
- Pingback: Wordpress Security Tips – Safeguard Your Blog | Technology Bloggers on November 8, 2011
- Pingback: Плагин WP Security Scan. Настройка, использование.Ч2 | БЕЗОПАСНОСТЬ ПК on January 3, 2012
69 Comments
Post a comment
Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS. Be nice. Keep it clean. Stay on topic. No spam.
Senx 4 great and necessary plugin, but create a .htpasswd file and .htaccess and login and pass and path too, is very very hard for me.
Can u post another, maybe more simple sample?
HI,
We are currently working on publishing more content which is even easier to follow. Subscribe to our RSS or follow us on one of our social network channels (Facebook or Twitter) and you will be alerted once new content is published.
I too am finding these instructions hard to follow- like the previous poster I need a simple example .htpassword file and guidance where to put it.
The .htaccess file seems easier to implement
I need this because I have just recovered from a hack
Hi Ian,
Ideally .htpassword files should be placed in a directory which is not published on the web server, i.e. if you are using a hosting provider, ideally it should be placed in a different directory than the public_html directory. The .htaccess file can be placed in the WordPress root. Before uploading a .htaccess file make sure that there is no other .htaccess file (generated by WordPress) or if there is, simply add the content of your .htaccess file to the exsisting one.
Hi
What would be useful here would be to have a sample .htpassword file and a sample .htaccess file available for download, to be edited and then uploaded to the users servers.
It should be pointed out more clearly that the .htpassword file does not need, nor want, to be in the publicly accessible area of the site (usually under public_html)
Cheers for the great plugin
Hi Robert,
The others are not alone, if you could post specific .htaccess examples where we could simply fill in our own necessary info (maybe put the places we need to change in RED or something) and then save and upload, that would be fabulous. Also, maybe screenshots of where the root directory is vs. public areas in order to help out the abject newbies. We all want to be more secure and we all dearly appreciate your amazing website & service!
Thanks a million,
Donna
Hi all,
We are indeed working on a more detailed blog post which will also explain how to create a .htpasswd file etc. Stay tuned with us via one of our social network channels:
Facebook: http://www.facebook.com/WebsiteDefender
Twitter: http://www.twitter.com/WebsiteDefender
I just tried doing this at one of my sites and was unable to login to wp-admin dashboard so I disabled password protection on wp-admin folder for that site again.
I’m presuming that the user who has access to wp-admin folder could be the same as the site admin user but I’ve also bot the Login Lock plugin installed to enforce password changes for admin accounts every 30 days. Thus, I will hold off on implementing this solution until you have a more thorough tutorial with some files to download, as someone suggested above.
Thanks for keeping an eye on our website security tactics.
Yeah I wish you guys would post up a example htaccess file. I liked your facebook page. Please when you have a few minutes, give us the example code for the .htaccess files so we can put them on our sites. You didn’t give much detail in this area with the exception of telling us we needed it.
HI Marj,
Thank you for showing interest in our blog posts.
Unfortunately it is almost impossible to make a template file available for download since every installation might be different. What we can provide you with is a template which you can use and adopt to your installation, as there is already. As explained earlier on, we are already working on an improved version of this blog post though we won’t be doing any downloadable file. As regards the users, the user used from WordPress cannot be used for HTTP authentication. The users in WordPress are controlled and stored in the WordPress installation, while the users for HTTP Access are typically stored in a htpasswd file, which is separate from a WordPress installation.
Your guys plugin is awesome. Does the plugin do automatic scans
because i cant find a scan now button anywhere
Hi Gene,
Thank you for showing interest in our plugin. Do you mean the WordPress plugins? If yes, these plugins run each time you access the actual Plugin page and alerts you of what needs to be changed, so there is no need for any buttons. If you have any further questions or comments about any of our products, please post them on our official company forums; http://www.websitedefender.com/forums.
I still have the alert for not having an .htaccess on my wp admin section. I have an .htaccess file on my main directory. I’m still hoping you will give an example what a .htaccess file should contain when inside my wp_admin area. Can you give any insight for this?? I guess I could just drop an empty .htaccess file in my wp_admin area.
HI Zachary,
As explained in this blog post, one has to make a username and password file (.htpasswd file) and then use the .htaccess sample used in the blog post itself:
AuthUserFile /etc/httpd/.htpasswd
AuthType Basic
AuthName “restricted”
Order Deny,Allow
Deny from all
Require valid-user
Satisfy any
Then there are several other directives which one can add in the .htaccess file, such as protection via IP etc.
Is there a theme that can prevent hackers to hack one site?
Hi Ceejay,
We do not know of any theme and themes are not meant to work like that. What I suggest though is to install a security plugin and also subscribe to an online WordPress security service, such as WebsiteDefender. If you are looking for a WordPress Security plugin, check out our own WebsiteDefender WordPress Security plugin.
Yeah but I don’t know how to write the .htpasswd file. What do I put in it? Can you write an example using “username” and “password”?
I think that is the reason for the confusion in this blog post as most people reading this don’t know much about .htaccess or .htpasswd and what to put in those files as it pertains to the actual syntax used.
Some quick examples would be great.
For example: if I create an .htaccess file, brand new, I simply include:
AuthUserFile /etc/httpd/.htpasswd
AuthType Basic
AuthName “restricted”
Order Deny,Allow
Deny from all
Require valid-user
Satisfy any
And that is it? Close and save?
Hi Zachary,
The bold text in the blog post is the actual .htaccess file. All you need to do is copy that text (AuthUserFile should reflect the file of the .htpasswd). We are soon going to post an article on how to generate a .htpasswd file so stay tuned.
please post that article! i’m also lost
Thanks Robert. I will be looking forward to the post on the .htpasswd file. I have installed your plugin on all my clients WP sites. After being hacked a number of times, it helps me sleep well at night.
I’ve tried everyway but Sunday to get this thing to work but no success. I have tried tutorials online and the only thing that is a result is that I’m locked out of my admin panel. I’m hoping that you will put together some kind of generator that will spit out the files we need and just let us know where to upload them.
Till then, I give up.
Could we not just password protect the directory itself? I can easily log into my hosting control panel and password protect the wp-admin folder. I can’t use .htaccess files or even see them for that matter because I’m on a Mac.
Hi Aaron,
Good solution. By the way, the fact that you have a Mac does not mean you cannot access .htaccess files.
Hi Guys, am i supposed to upload both the .htcaccess and .htpasswd into the same directory or can they work even if in different directories?
Hi.
You have to upload the .htaccess file in the directory which you want to protect. The .htpasswd file can be uploaded anywhere and then modify the “AuthUserFile” directive in the .htaccess to reflect the path where the .htpasswd is stored. I’d recommend you to post such questions on our official forums (http://www.websitedefender.com/forums).
You can generate your .htpasswd file with the help of this site: http://www.htaccesstools.com/htpasswd-generator/
I’ve created my .htpasswd with the generator above and copied it to my wp-admin folder (I’ve put it there inside a subfolder) and I also copied the .htaccess file to the wp-admin folder and changed it to point to my subfolder where the .htpasswd file is:
AuthUserFile /blog/wp-admin/mysubfolder/.htpasswd
AuthType Basic
AuthName “restricted”
Order Deny,Allow
Deny from all
Require valid-user
Satisfy any
It works fine so far: It will ask for my user and password I’ve generated with the generator.
After this my normal wp-admin login is opening but it’s looking different (no style, no logo, only pure html)? …
If I try then to login with my name and password for my WordPress account I get this error message:
The script could not be executed correctly.
Common causes might be that the file was uploaded in a non-ASCII format or the path to the interpreter (e.g.: #!/usr/bin/perl) is missing or set incorrectly.
Any ideas?
Hi Marcel,
It seems to be something related to permissions. I would recommend you to check the permissions of the wp-admin folder and all the files which are being accessed while logging in. If you have any further queries, I would recommend you to post them on our WebsiteDefender forums, where a helpful community is waiting to assist you.
Gracias, usaré el bloqueo por IP
WSD is an excellent plugin, but what I don’t understand is the need of the suggested password protection in /wp-admin. It doesn’t work because there are other files in that dir that WP calls when you visit the site. Using the suggested .htaccess simply irritates the visitor for the continuous “Enter password” pop up.
Besides why developers didn’t suggest such a measure? Instead they only place the “silent is golden” index.php
IMHO the best security measure is to use at least a secure 13 chars password (numbers, upper and lower case letters plus symbols) and a clever administrator name instead of the default admin.
Hi Luis,
Thank you for showing interest in our plugin.
We recommend to protect wp-admin section with an .htaccess to protect your blog from brute force attacks and from future zero day vulnerabilities that can be exploited against the WP-admin folder without the need to authenticate, as explained in the introduction of such article. By adding an .htaccess file to wp-admin your blog visitors should not be alerted to enter the password. If they are, then something might not be correct with your template or blog installation.
If you have further queries, feel free to post them on the WebsiteDefender official forums.
to protect wp-admin, I found that the following worked. The ErrorDocument label was key. Setup .htpasswd as described as elsewhere on this page.
ErrorDocument 401 default
AuthUserFile /home/username/.htpasswd
AuthType Basic
AuthName “restricted”
Order Deny,Allow
Deny from all
Require valid-user
Or, as Luis suggested above. Only protect the .php files in wp-admin, this resolves issues with other items calling stuff in wp-admin.
ErrorDocument 401 default
AuthUserFile /home/username/.htpasswd
AuthType Basic
AuthName “restricted”
Order Deny,Allow
Deny from all
Require valid-user
Satisfy any
Great plugin, thank you.
I generally put the wordpress install in a subfolder, and then at launch, move the site itself up to the main folder, leaving the install where it is. This is done using the htaccess in wordpress itself, kind of the reverse of what is done here: http://codex.wordpress.org/Moving_WordPress
So, just tried setting up htaccess to wp-admin folder using CPanel. Result: WP could no longer find wp-admin folder. I’m baffled, because there was no .htaccess file in the wp-admin folder before. Any ideas, or direction would be welcome.
Hi Norine,
Thank you for getting in touch.
Unfortunately we cannot understand your query. Can you please post your query on our WebsiteDefender forums?
Thank you and looking forward to hearing from you.
Hi!
Thank you for tips!
I did everything like you write here for Password protect wp-admin directory with a .htaccess file
But, then I access to mu /wp-admin/ I get
Error 404 — Not Found
You are trying to reach a page that doesn’t exist here. Maybe I’ve moved out things or maybe you mistyped a link. Try searching:
Can you help me what I need to do?Why I have this Error??
Thanks!
Hi Alina,
Thank you for following our blog.
Unfortunately we cannot assist you in this case without having more details, such as URL of website, content of .htaccess etc. In that case I recommend you to contact our support on support@websitedefender.com.
Looking forward to hearing from you.
Hi!
Thank you! I’m already fix the problem.
I just add
ErrorDocument 401 default
in the .htaccess file and it’s work.
I don’t understand what the meaning of this row, I just find this solution in the net, but it’s work:)
Thank you for your blog!
Post implementing .htpasswd for wp-admin folder I’m not able to change my themes from admin dashboard. Can you please help me why I’m not able to change password. Getting error
“You do not have sufficient permissions to access this page.”
Hi Nishant,
Thank you for getting in touch. Please submit such type of questions on our community driven forums; http://www.websitedefender.com/forums.
Looking forward to hearing from you.
I’ve followed these instructions, but with the .htaccess file in the wp-admin folder it keep getting a 404 Page Not Found error.
I’ve setup my .htpasswd file just like it’s supposed to be…I think…
Hi Robert
There’s no denying that the plug-in is a gem, but I’ve still got a bone to pick. You’ve been promising for three months now that there’ll be a clearer description of the .htaccess and .htpasswd shenanigans. Where is it and why does it take more than three months? I would expect it to take a knowledgeable person a couple of hours to do if there was an honest determination to do so. What is the real score here? Surely a relatively simple text with a few images or even a video that wouldn’t need to be more than a couple of minutes would surely suffice.
Furthermore, the WD team has created a tool to remove the wp_ prefix from the database whatevers. Would it not be possible to develop a tool to assist non-tech people in achieving what the verbose and unclear instructions have hitherto not achieved?
I repeat, I’m not bagging you guys at all, the WD is a great plug-in, it’s just a little mystifying that something that you claim is so important is being dealt with so ambiguously.
Keep up the good work.
Cheers
Hard Yakka
Hi,
I would recommend you to use a .htaccess without any form of credentials at first, i.e. just control the IP access. Then start adding other features, such as credentials. Adding such restrictions one by one, you would know exactly what is wrong.
If you have further queries, post them on our community led forums; http://www.websitedefender.com/forums.
Hi Hard,
We’ve improved this article a couple of times and also added some links in the article which will definitely help. There is no way how we can make it more simple. Strictly speaking, a copy and paste of the sample .htaccess file, change the path of the .htpasswd file should make the trick.
We are thinking of including such feature in the plugin.
I’m running a WordPress website. But, I’ve not enough security. Now I using this security. This article & web defender security very need for us. So, now i’m completely tension free.
Thanks for a great program.
Any chance you could show a example of a fully protected .htaccess file?
That would be great.
Please consider adding a bit of logic to the WP-Security plug-in to check what the underlying web server is. The tool recommends a .htaccess file for my wp-admin directory, but I’m running Nginx, which does not use .htaccess files.
Hi Kim,
A full example of a htaccess file is in the blog post itself.
Hi Lee,
Thank you for showing interest in our plugin.
That is currently one of the features we would like to work on. I would recommend you though to add this feature request to http://ideas.websitedefender.com.
Looking forward to hearing from you.
Hi… I’ve done whatever on this article to create .htpasswd and .htaccess for my wp-admin folder…
I create .htpasswd from xampp with -cm.. and upload on different subfolder.. not in public_html.. and placed .htaccess file like example above (AuthUserFile my own path) on wp-admin folder… but after that when I go to setting or whatever on admin page, I redirected to an error page….. Did I miss something?? please help…
I put an htaccess file in the wp admin folder and the site stopped working so I had to remove it. not sure what I did wrong. the site or host or theme didn’t like what I had there.
can you let me know what basic code this htaccess file should have to protect the admin folder? the info on the htpasswd was confusing to me too so I did not create that.
Ok, so I’m running WordPress within a directory on the server and the .htaccess file for the permalinks etc is in that directoy.
Website Defender says that there isn’t a .htaccess file in the root directory. What should that .htaccess file contain from a security perspective?
Can the .htpasswd file be located in other folders? What if I don’t have access to the etc/httpd folder because I’m only using a shared host?
Hi,
A sample of such file is mentioned in the blog post. If you have issues with some WebsiteDefender alerts I would recommend you to contact us on support@websitedefender.com.
Looking forward to hearing from you.
Hi,
The .htpasswd file can be located in any folder you like. What is important is that in the .htaccess file you specify the correct path for the htpasswd file.
I created a .htpasswd and .htaccess file as suggested. It worked, in the sense that when I went to (mydomain)/wp-admin I was challenged with a username/password prompt, and entering the correct user/passwd got me past it. But it did NOT work in that once I got past that login, all I saw was a blank page. I didn’t see any way to actually get to the WordPress admin options. So I disabled the .htaccess again.
Two questions:
1. How would I get around this?
2. Assuming there’s a way around this, does it mean that in order to actually get to the WP admin panel I would first have to login with the .htaccess user/passwd and then login again at the WordPress level using the WP admin user & password?
3. Okay, I had more than two questions. Assuming I have deleted the default WP admin user and instead created a WP user with a hard-to-guess username and a good long complicated password, isn’t that security enough? What is protected by the .htaccess file that isn’t already protected by the regular WP admin login process?
Hi David,
Below please find your answers.
1. It seems to be a permissions problems. In this case you have to check the files and directory permissions and allow the user used for authenticating access on such files.
2. Correct. You have to use 2 sets of credentials to login.
3. As explained in the article “Most common attacks against WordPress have been brute force attacks, or sending of specially crafted HTTP requests to WordPress files in wp-admin, therefore it is very important to add an extra layer of protection to the WordPress wp-admin section”.
While hoping the above answers your queries, do not hesitate to contact us again.
Thanks. I’m still confused about questions 1 & 3, though.
1. In my wp-admin folder, all the PHP files have permissions “-rw-r–r–” which would seem to grant read permission to all users (assuming they can get into the folder at all.) The permissions on the wp-admin folder itself are “-rwxr-xr-x” which should let anyone into the folder, as long as they pass the .htaccess requirements. So, what would I need to change to make this work?
3. I sort of understand what you’re saying, but not exactly. Do you mean that an HTTP request can be made to specific PHP files in wp-admin and those files would send a response or do some action without checking that the user is logged in with WordPress admin credentials?
I tried this advice and completely lost access to my wordpress. Now I can’t see the .htaccess file to delete it from my server… and I’m guessing I simply have to reinstall wordpress and reload my site from a backup. This is the worst advice blog i’ve ever read.
well… actually, now that i see the .htaccess file, i can at least delete it :p
or maybe this is the security measure: create an .htaccess file, loose access to your “site/wp-admin” login page entirely(i see no other login prompt, just a 404 error) and whenever you need it back, go back and delete the .htacces file
Please help, I’ve created the file. htpasswd and I put in the wp-admin, the following file. httaccessnya.
But now I can not login to wp-admin.
Error message: To bad – Internal Server Error
Hi SuicidalWebNoob,
The fact that you cannot see the htaccess file is most probably because you are using an FTP client that is not showing hidden files. Navigate to the options of such client you are using and enable show hidden files to be able to see the .htaccess file.
I can assure you the above does work, because thousands of people already implemented it. It is also tested and proven by us
Hi SuicidalWebNoob,
The issue you are encountering is because you have some wrong paths specified in the .htaccess file. If you give us ftp access and access to your logs we can sort it out for you. Drop me a mail on ra@acunetix.com with the details and we will sort it out.
Hi David,
Unfortunately offhand I cannot tell you exactly what is wrong because it also depends what kind of configuration you have and with whom you are hosting your WordPress installation. In that case I would recommend you contacting me directly on ra@websitedefender.com and we can help you solve this issue.
Looking forward to hearing from you.
Hi Sigit,
Thank you for following our blog.
You cannot rename an .htaccess file to anything you want. It should be names .htaccess file unless you configure your web server (such as Apache) to read such configuration files, i.e. with non default names.
Hi Robert,
I’ve read your post which seems very clear to understand and implement for beginners like me.
Though I get internal sever error…
This is what I put in the .htaccess which is located in the wp-admin folder.
# Security
AuthUserFile /etc/httpd/.htpasswd
AuthType Basic
AuthName “restricted”
Order Deny,Allow
Deny from all
Require valid-user
Satisfy any
# Whitelist work IP address
allow from XXX.XX.XXX.XXX
I followed your .htpasswd instructions and used a generator to create one, very good.
And the path I used was yours, so the .htpasswd is stored in this path wp-admin/etc/httpd/.htpasswd.
I have X’ed my IP and my IP is fixed and definitely correct – so cant really understand where I’m going wrong?
I have posted the .htaccess on github – https://gist.github.com/2358545
Thanks for any advice.
Josh
the path would be
/home/yourcpaneuser/.htpasswds/public_html/wp-admin/passwdfor most default hostings.
So this .htaccess isn`t the same as a file from a root directory?
Hi Josh,
Sorry for the late response. I would recommend you to contact me directly on ra@websitedefender.com regarding this issue. If we can have access to the website (do not publish such details in the comments here) we can sort it out and let me know what was wrong.