9. Protect your wp-admin directory
wp-admin directory reduces the ability of hackers to access files inside of it, meaning if there are any security issues with code inside
wp-admin then the hackers can’t exploit them. There are a number of ways to achieve this:
- Password protect the directory
- Only allow specific user IP addresses
- Move your
Ideally you’d use all of these together for an extra layer of security, and as every with WordPress there’s lots of ways of doing it and some things to watch out for along the way!
Password protecting wp-admin
The main thing to watch out for when password protecting your
wp-admin directory is that you don’t break the AJAX functionality of
wp-admin/admin-ajax.php, as some plugins use this.
Your web host probably provides a way for you to password protect a specific directory – but this will break the
admin-ajax.php – but it’s not a bad place to start and then customise afterwards.
In cPanel you can use the Directory Privacy feature inside your control panel to protect the
If your provider uses Plesk then you can use the Password-Protected Directories feature to do the same and protect
wp-admin, but this will break
admin-ajax.php used by some plugins as Plesk doesn’t store the configuration in a
.htaccess file we can’t modify it.
cPanel will create a file called
.htaccess (or modify it if it exists already) inside the
wp-admin directory, the contents will look similar to:
We need to edit this
.htaccess file and change the above entry to:
It might say not to edit it, but unless we want to break
admin-ajax.php then we have no choice, that’s why we’ve also removed all the warning lines so that cPanel doesn’t try and edit it again as well – as that’ll break it.
Only allow specific IP addresses
This one can be tricky if you’ve not got a fixed IP address at the locations you want to administer your site(s) from, plus it limits you to those locations.
One way around this, is to make use of a VPN (Virtual Private Network) that provides you with a fixed IP address and limit your
wp-admin directory to the VPN IP address.
For most WordPress sites you can IP restrict your
wp-admin in the following way:
- Create a new file:
- In the file add the following, making sure to change 192.0.2.45 for your own IP address:
- For additional IP addresses you can add more allow lines e.g.:
Allow from 192.0.2.87
So what does this code do? We’ll take a look at it line-by-line:
<FilesMatch (?<!admin-ajax\.php)$> – Match all files inside this directory, except admin-ajax.php
Order Deny,Allow – First carry out all deny requests, then process allow requests
Deny from all – Deny all requests
Allow from 192.0.2.45 – Allow requests from the IP address 192.0.2.45
</FilesMatch> – The end of the matching block
There are situations where this may not work for you though:
- Your web host isn’t using Apache or a compatible web server such as LiteSpeed – you’ll need to ask them how you can do it with their platform
- Your website is using Cloudflare or a similar reverse proxy CDN/security service – as your website will see Cloudflare IP addresses accessing it only
Once again, many of the security plugins will allow you do to this as well.
Move your wp-admin directory
We’re not really going to move the
wp-admin directory, as that would cause a lot of problems and would be easily rediscovered if you’ve got plugins that make use of AJAX functionality.
What the plugins do that alter the wp-admin directory is make it so that to access any other files inside it you need to use a different address in your browser other than
One such plugin that allows you to make such a change is All In One WP Security & Firewall, but others are available.