Trusted WordPress tutorials, when you need them most.
Beginner’s Guide to WordPress
Copa WPB
25 Million+
Websites using our plugins
16+
Years of WordPress experience
3000+
WordPress tutorials
by experts

Cómo proteger con contraseña el directorio del administrador de WordPress (wp-admin)

Los propietarios de sitios web deben dar prioridad a la seguridad de WordPress para proteger sus datos confidenciales y mantener la confianza de sus usuarios. Una forma muy efectiva de hacerlo en WPBeginner es protegiendo con contraseña nuestro directorio de administrador / administración de WordPress.

El directorio wp-admin es el centro de control de tu sitio WordPress. Es donde se gestiona todo, desde el contenido hasta los ajustes, por lo que es un objetivo principal para los hackers. Proteger con contraseña tus archivos de administrador los mantendrá a salvo de ataques.

Este artículo proporciona una guía sencilla para proteger fácilmente con contraseña su directorio wp-admin y reforzar la seguridad de su sitio web.

How to Password Protect Your WordPress Admin (wp-admin) Directory

¿Por qué proteger con contraseña el directorio de administrador de WordPress?

Al proteger con contraseña su directorio de administrador de WordPress, añade una capa adicional de seguridad al punto de entrada / registro más importante de su sitio web WordPress.

Tu escritorio de administrador de WordPress es el eje central de tu sitio. Es donde publicará entradas y páginas, personalizará su tema, instalará plugins de WordPress y mucho más.

A menudo, cuando los hackers intentan entrar en su sitio web, lo hacen a través de la pantalla de wp-admin mediante un ataque de fuerza bruta.

Puede ayudar a proteger su sitio web contra posibles ataques utilizando medidas de seguridad como una contraseña segura y limitando los intentos de acceder / acceso.

Para estar aún más seguro, también puedes proteger con contraseña el directorio wp-admin. Así, cuando alguien intente acceder a su área de administrador, tendrá que introducir un nombre de usuario y una contraseña antes de llegar a la página de acceso / acceso de WordPress.

Dicho esto, echemos un vistazo a cómo puede proteger con contraseña su directorio de administrador de WordPress paso a paso.

El primer método es el recomendado para la mayoría de los usuarios, y puedes utilizar los enlaces rápidos que aparecen a continuación para saltar directamente al método que desees utilizar:

Tutorial en vídeo

Subscribe to WPBeginner

Si prefiere instrucciones escritas, siga leyendo.

Método 1: Proteger wp-admin con contraseña usando Privacidad de directorios (Recomendado)

La forma más sencilla de proteger con contraseña el directorio de administradores de WordPress es utilizar la aplicación de privacidad de directorios de su proveedor de alojamiento de WordPress.

En primer lugar, debe acceder al panel de control de su cuenta de alojamiento y hacer clic en la opción “Privacidad del directorio” de la sección Archivos del panel de control cPanel de su sitio web.

Click on the Directory Privacy option in the Files section

Nota: La mayoría de los alojamientos web que utilizan cPanel, como Bluehost, tendrán pasos similares. Sin embargo, su Escritorio puede ser ligeramente diferente de nuestras capturas de pantalla, dependiendo de su proveedor de alojamiento.

Esto le lleva a una pantalla que enumera todos los diferentes directorios de su servidor. Debe encontrar la carpeta que contiene los archivos de su sitio web.

La mayoría de los propietarios de sitios web lo encuentran al hacer clic en la carpeta “public_html”.

Click public_html

Esto muestra todos los archivos del sitio web que ha instalado en su servidor.

A continuación, deberá hacer clic en la carpeta con el nombre de dominio de su sitio web.

Click domain name folder

En esa carpeta, verá una carpeta wp-admin.

En lugar de hacer clic en el nombre de la carpeta, tendrás que hacer clic en el botón “Editar” situado a su lado.

Click edit wp-admin folder

Accederá a una pantalla en la que podrá activar la protección mediante contraseña.

Simplemente marca la casilla que dice ‘Proteger este directorio con contraseña’. Si lo desea, también puede dar a su directorio un nombre como ‘Área de administrador’ para ayudarle a recordar.

Check password protect directory box

Una vez hecho esto, tendrás que hacer clic en el botón “Guardar”.

Esto le llevará a una página donde aparecerá el mensaje de confirmación.

Confirmation message click back button

Ahora, tendrá que hacer clic en el botón “Volver” y accederá a una pantalla en la que podrá crear un usuario que podrá acceder a este directorio.

Se te pedirá que introduzcas un nombre de usuario y una contraseña y que los confirmes. Asegúrese de anotar su nombre de usuario y contraseña en un lugar seguro, como una aplicación de gestión de contraseñas.

Create a User

Asegúrate de hacer clic en el botón “Guardar” cuando lo hayas hecho.

Ahora, cuando alguien intente acceder a su directorio wp-admin, se le indicará que introduzca el nombre de usuario y la contraseña que creó anteriormente.

Password protect WordPress admin example

Método 2: Proteger wp-admin con contraseña usando un código

También puede proteger manualmente su directorio de administrador de WordPress con una contraseña. Para ello, tendrá que crear dos archivos llamados .htpasswd y .htaccess.

Nota: Añadir cualquier código a su sitio WordPress puede ser peligroso. Incluso un pequeño error puede causar errores importantes en su sitio web. Solo recomendamos este método para usuarios avanzados.

Creación del archivo .htaccess

En primer lugar, abra su editor de texto preferido y nombre el nuevo archivo .htaccess.

A continuación, copie el siguiente fragmento de código y añádalo al archivo:

AuthName "Admins Only"
AuthUserFile /home/user/public_html/example.com/wp-admin/.htpasswd
AuthGroupFile /dev/null
AuthType basic
require user yourusername

Asegúrese de cambiar la ruta “AuthUserFile” a la ubicación donde subirá el archivo .htpasswd y cambie “yourusername” por el nombre de usuario que desea utilizar para acceder.

No olvides guardar el archivo cuando hayas terminado.

Creación del archivo .htpasswd

Una vez hecho esto, deberá crear un archivo .htpasswd.

Para ello, abra un editor de texto y cree un archivo llamado .htpasswd. Este archivo mostrará tu nombre de usuario junto con tu contraseña en un formato cifrado.

La forma más sencilla de generar la contraseña cifrada es con un generador htpasswd.

Sólo tiene que introducir su nombre de usuario y contraseña, seleccionar el formato de cifrado y hacer clic en el botón “Crear archivo .htpasswd”.

Create htpasswd file

El generador htpasswd mostrará una línea de texto que deberá pegar en su archivo .htpasswd. Asegúrese de guardar el archivo una vez hecho esto.

Subida de .htaccess y .htpasswd al directorio wp-admin

El último paso es subir los dos archivos que has creado a la carpeta wp-admin de tu sitio web.

Deberá conectarse a su cuenta de alojamiento de WordPress mediante un cliente FTP o la herramienta de gestión de archivos en línea que le proporcione su proveedor de alojamiento. Para más detalles, consulte nuestra guía para principiantes sobre cómo utilizar FTP para subir archivos a WordPress.

Para este tutorial, utilizaremos FileZilla porque es gratuito y funciona tanto en Mac como en Windows.

Una vez que se haya conectado a su sitio web, verá los archivos de su ordenador en la ventana de la izquierda y los archivos de su sitio web en la de la derecha. A la izquierda, debe navegar hasta la ubicación donde guardó los archivos .htaccess y .htpasswd.

A continuación, a la derecha, debe ir al directorio wp-admin del sitio web que desea proteger. La mayoría de los usuarios tendrán que hacer doble clic en la carpeta public_html, luego en la carpeta con su nombre de dominio y, por último, en la carpeta wp-admin.

Ahora, puede seleccionar los dos archivos de la izquierda y hacer clic en “Subir” en el menú del botón derecho o simplemente arrastrar los archivos a la ventana de la izquierda.

Uploading the Files to Your Website's wp-admin Directory

Ahora, su directorio ‘wp-admin’ estará protegido por contraseña.

Diagnosticar la protección de contraseña de wp-admin

Dependiendo de cómo estén establecidos tu servidor y tu sitio web, existe la posibilidad de que te encuentres con errores de WordPress. Estos errores pueden corregirse añadiendo cuidadosamente código a tu archivo .htaccess.

Nota: Este es el archivo .h taccess ubicado en la carpeta principal de tu sitio web, no el que subiste a la carpeta ‘wp-admin’. Si tiene problemas para encontrarlo, consulte nuestra guía sobre por qué no puede encontrar.htaccess y cómo localizarlo.

Corrección del error Ajax no funciona

Uno de los errores más comunes es que la funcionalidad Ajax puede dejar de funcionar en el front-end de su sitio. Si usted tiene plugins de WordPress que requieren Ajax, como la búsqueda en vivo Ajax o formularios de contacto Ajax, entonces usted se dará cuenta de que estos plugins no funcionarán más.

Para corregir esto, simplemente añada el siguiente código al archivo .htaccess que se encuentra en su carpeta wp-admin:

<Files admin-ajax.php>
    Order allow,deny
    Allow from all
    Satisfy any 
</Files>

Corrección del error 404 y de demasiadas redirecciones

Otros dos errores que puede encontrar son el error 404 y el error de demasiadas redirecciones.

La forma más sencilla de corregirlos es abrir su archivo .htaccess principal situado en el directorio de su sitio web y añadir la siguiente línea de código antes de las reglas de WordPress:

ErrorDocument 401 default

Bonificación: Las mejores guías de WordPress para la seguridad de wp-admin

Esperamos que este artículo te haya ayudado a aprender cómo proteger con contraseña tu directorio de administración de WordPress (wp-admin). Puede que quieras ver más guías sobre cómo hacer que tu área de administrador sea más segura:

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

Descargo: Nuestro contenido está apoyado por los lectores. Esto significa que si hace clic en algunos de nuestros enlaces, podemos ganar una comisión. Vea cómo se financia WPBeginner , por qué es importante, y cómo puede apoyarnos. Aquí está nuestro proceso editorial .

Avatar

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi with over 16 years of experience in WordPress, Web Hosting, eCommerce, SEO, and Marketing. Started in 2009, WPBeginner is now the largest free WordPress resource site in the industry and is often referred to as the Wikipedia for WordPress.

El último kit de herramientas de WordPress

Obtenga acceso GRATUITO a nuestro kit de herramientas - una colección de productos y recursos relacionados con WordPress que todo profesional debería tener!

Reader Interactions

204 comentariosDeja una respuesta

  1. Syed Balkhi

    Hey WPBeginner readers,
    Did you know you can win exciting prizes by commenting on WPBeginner?
    Every month, our top blog commenters will win HUGE rewards, including premium WordPress plugin licenses and cash prizes.
    You can get more details about the contest from here.
    Start sharing your thoughts below to stand a chance to win!

  2. Rauf

    Sir when i login the popup button appear again and agin asking for enter the username and password

    • demonkoryu

      Edit: I see that your problem isn’t with Disqus comments (facepalm), but it might be applicable in your case anyway.

      This happened to me too.
      a) Clear all cookies (for Disqus and the site where you’re trying to use it)
      b) Try another browser than the one you’re currently using

  3. Thomas

    This isn’t working for me in WordPress 3.9.1. I get a 500 (internal server) error for any admin pages, and the wp-login.php page loads but doesn’t display correctly.

    I’ve added the code for the 404 error to the main .htaccess file, and have added the ajax code to the wp-admin/.htaccess file. No change.

    What might be causing this? Is my server or WordPress install misconfigured somehow?

  4. Abinash Mohanty

    Hi Syed, Thanks for the tips! I tried with Cpanel method and then added the following .htaccess scripts. The modal pop up window was not working previously and I realized that there was another usename, which was assigned for the same purpose in the past. So what I did was removed all previously assigned usernames and added a new one followed by the new password. The modal popup started working like a charm :) Thanks a lot.

  5. David

    Thank you! –
    fixed my redirect loop issue with ErrorDocument 401 default

  6. Guest

    I added the admin-ajax code to my /wp-admin .htaccess file, but that didn’t fix the issue. The All-In-One-Event-Calendar plugin is still not able to access the admin-ajax on the front end.

    Please advise.

    Thank you!

  7. bamajr

    Wouldn’t adding 2-Step Authentication to the WordPress Admin, login process, resolve this? Say, by using Authy (and their associated plugin)!

  8. Chris Christoff

    Hi guys,
    Quick note, admin-ajax.php isn’t the only thing that plugins need access to. You also need to allow non-password protected access to async-upload.php and media-upload.php

    These are used by plugins to allow files to be uploaded on the frontend (like uploading a file during a checkout).

    -Chris

  9. bikramjit singh

    Hi….i m new to wordpress and regular visitor here.I am facing a problem.When I try to login to my wordpress panel,the panel to enter username and password does not come.The site opens itself.My domain is http://www.tradethetechnicals.com.How can settle this issue?

  10. Abinash Mohanty

    Hi Syed Balkhi,
    You made my day! I was getting regular attempts to hack by unknown sources. Thanks for the process, I have fixed mine. It’s better and way easier than wordpress codex :)

  11. Kushal Jayswal

    Hi I am confused!

    If I lock wp-admin directory then registered authors can access “http://site.com/wp-admin” in the browser? Or they also need username and password?

    See on my blog anyone can login directly with Facebook, so in such a case if password and username is mandatory for all users. It will be little complex to handle…

    Any comment?

  12. Phil Alcock

    Thanks for the ajax fix. Added those few lines and it fixed my problem with a plugin. Much easier than the suggestion in the Wordpress Codex.

  13. Inayu Mustikayu

    i follow the manual tutorial and and with 500 error, after trial and error get this work with :
    AuthUserFile /home/yourdirectory/.htpasswds/public_html/wp-admin/passwd
    changed to just
    AuthUserFile /home/yourdirectory/.htpasswds
    in my small tiny ubuntu apache vps :)

  14. aryan

    hello,

    i use this password method ,
    please help , because this popup windows not open in UCBrowser !!

    so tell me may i make a page ,html page or any kind of page for login ?? i don’t want to show popup ,i want to show a login in page , and other function as same

  15. Chathu

    If I follow cpanel method, are there any way to remove the password?

    Thanks!

  16. Masood

    Thanks for sharing very help full

  17. Arthur

    Wow! at last! The “ErrorDocument 401 default” did the trick. I was loosing my patience with the redirect problem….

    Thank you so much for share that.

  18. James

    Seems to work great except it asks for authentication on our home page not just when accessing wp-admin. Is this possibly another plugin calling a file other than admin-ajax.php?

    • Editorial Staff

      Yup it is very possible that another plugin is calling admin-ajax.php. You should use the fix mentioned above.

      Administrador

  19. Jeffro

    Just wanted to let you know that when I went to manage my subscriptions here on the site via email link, I received the username password prompt. Clicking Cancel allowed me to manage my subscriptions. After selecting and option and clicking save, got the prompt again which clicking cancel also allowed the action to be performed. Just letting you guys know in case you did’nt want that to happen to other people.

  20. Muhammad Ahsan

    shoud I copy the “ErrorDocument 401 default” line in .htaccess file in /wp-admin/.htaccess file ? or any other .htaccess file ?

  21. pankaj

    Hi ,
    As you told i i did but when i open wp-admin directory then i got error like “The page isn’t redirecting properly

    Firefox has detected that the server is redirecting the request for this address in a way that will never complete.

    This problem can sometimes be caused by disabling or refusing to accept
    cookies”.

    Even in google chrome it doesn’t given popup.Can you tell me how to resolve this issue.

    Thanks in Advance.

  22. Ed Emery

    Hi,

    This problem has been going since day one last week when I first installed WP. I just did the step by step How to Password Protect Your WordPress Admin (wp-admin) Directory but same problem! Here is a screen shot of what / who / hacker is going on.

    First this:
    The server sacramentofan.com at WPBeginner Admins Only requires a username and password.

    Warning: This server is requesting that your username and password be sent in an insecure manner (basic authentication without a secure connection).

    Then this after trying to login:

    The server sacramentofan.com at WordPress attack protection CAPTCHA. Enter username: e7en4d Password: The result of math 16+4 requires a username and password.

    Warning: This server is requesting that your username and password be sent in an insecure manner (basic authentication without a secure connection).

    So how do I stop this as I have tried everything since last Thursday 07-18-2013

    Thanks,

    Ed

    • Editorial Staff

      Too complex of an issue to explain by just hearing about it. Would really have to see what is going on. It seems that some plugin is causing this issue.

      Administrador

  23. David McMahon

    Many thanks for this helpful hint – I’d been wondering why I kept getting the dreaded “request will never complete” message from Firefox, but now I don’t!

  24. Akash Deep Satpathi

    Hi! I followed your tutorial with cPanel but after it I was not able to view my Dashboard. It was saying “This webpage has a redirect loop” on Google Chrome. So, what I am missing?

  25. Meher

    Hi,

    Thank You very much for your article.

    I was trying to add an additional login layer to wp-admin folder and was redirecting to – Too many redirects error -.

    I searched a lot in Google and came across your article. This really helped me solve this issue.

    Thank you once again.

  26. arman

    it works well

    but there is one problem .

    when normal users Login and wants to go to dashboard and change some info like picture profile they must answer this user password too !!

    is there any chance to set this protected folder for only admin or ignore it for normal users dashboard ?

      • ARMAN

        So , If i use this for All users , it means all users must have my USer, password for Protected Folder !!

        so anyone can register and Anyone must have this user , password then any hacker can register as User in my site and get this user & pass !!

        So Protecting Wp-admin is useful for only sites with one Admin or with some Special Users to share this user password …

        • Editorial Staff

          You can create multiple users in .htpswd. You would have to use what is called a group.

  27. fox

    ooohhh men thanks for your help :

    ErrorDocument 401 default

    works perfect !!!!!

  28. Nishant

    Thanks for the tips. I have implemented password protection of Wp-Admin directory and also have added double authentication using Google Authenticator. It seems to work fine.

    I recently migrated to a new host (Bluehost) and set up my Wordpress site.

    I have installed Wordfence security plugin. The configuration of the plugin is such that every time somebody logs in(including myself), I get an email alert. And also, if somebody attempts a login with an invalid username, then it locks out that IP Address for 10 minutes and sends an email notifying me that there has been a failed attempt to login.

    Considering that I have password protected my Wp-admin directory, unless someone knows the user and and password for it, they cannot reach wp-admin or wp-login to attempt a login to my wordpress.

    But last night I got few emails from Wordfence citing that there have been lock out of few IP Addresses for having made failed attempts to logon to Wordpress using invalid usernames (like admin, Admin or nishant). Is it possible to bypass server side password protection of wp-admin directory and make an attempt to logon to Wordpress?

    Nishant

    • Nishant

      Also, I just noticed that…

      When I use the URL directly to wp-login, i am shown the window of server side password for wp-admin directory. But when I click cancel on that password window(2 to 3 times), it displays the wp-login page!

      But when the url is wp-admin, then when clickign cancel it displays “401 Authorization Required
      Invalid login credentials!”

      And the log files showed the invalid attmepts to login were tryign to access wp-login.php directly.

      • Editorial Staff

        Yes wp-login.php is still accessible. But even if they get the right password, they won’t be able to see it. You can also use the same technique and password protect your wp-login.php file individually.

        Administrador

        • Jeffro

          Just what exactly would that code be? I didn’t see an easy way to password specific files in Cpanel.

  29. Bart

    Dear author,

    I am convinced I followed all of your directives, yet still I get the Firefox “endless loop” notification. This is what I did so far:
    – I made a .htpasswds file in /.htpasswds/public_html/wp-admin/passwd (CHMOD 664)
    – I made a .htaccess file with a generated hash / username and put it in /public_html/wp-admin
    – I inserted the line ErrorDocument 401 default before all code into my main .htaccess file in /public_html

    Could you please guide me to solving this problem. My main questions are:

    – you say “make a file called ‘.htpasswds’ “. Is this in fact the correct filename ? I mean, with the s at the end included?
    – exactly what path do I need to specify in my .htaccess file in my /public_html/wp-admin folder? Currently it says “AuthUserFile /.htpasswds/public_html/wp-admin/passwd” I’m not sure I’m doing this part right…

    I’m looking forward to some clarification here…I have been wrestling with this a couple of hours now and I figure it shouldn’t be THAT hard? :-)

    Thank you very much in advance…if you require any more info I’m more than happy to provide it. Kind regards,

    Bart

    • Editorial Staff

      What type of hosting are you on? Do you have a cPanel web host? Can you try using the cPanel method to generate the htpswd file?

      It’s really hard to tell what is going wrong because we wrote down the exact same thing that we did on our site.

      Administrador

  30. zimbrul

    I’d like to ask you guys a question: did it ever happen to you to have admin folder password protected and to be asked for authentication for EVERY post you read on your blog? It does happen with one of my blogs. I was wondering if it’s not better to protect the admin login with Google Authenticator or something similar instead…

    • Editorial Staff

      If you are being asked to authenticate every single time, then one of the two is happening:

      1. You pasted the .htaccess info in your main .htaccess file and not in the .htaccess file in the /wp-admin/ folder.

      2. admin-ajax.php file is being loaded on the front-end. You need to add the rule to prevent that from being password protected. We have mentioned the fix for that.

      Lastly, yes we have 3 layers of protection for our admin. IP match (if that doesn’t match, then the .htaccess password), and then there is Google Authenticator. We also have limit login attempts activated as well.

      Sucuri also does a pretty good job at blocking other attacks.

      Administrador

  31. Anish K.S

    i tried this method, but getting an error ” Error 310 (net::ERR_TOO_MANY_REDIRECTS): There were too many redirects. ”

    How to fix this ???

      • Anish K.S

        Yes, I fixed It. thanks for the tutorial.

  32. Mathieu Slaedts

    Hi there.

    I try to implement this protection. I tried the two solutions (manual and form the admin panel of my host). In both case, the .htacess is in the wp-admin folder, but the pop-up appears on every page.

    Any idea where does that come from ?

    Thanks

    • Editorial Staff

      That is an unlikely behavior. Without looking at the specific situation, we can’t tell you why it is doing that. We do know that by following this tutorial as it is written, you should be able to make it work. We have it running on WPBeginner.

      Administrador

      • Ollie

        I just had the same problem with the pop-up appearing on almost every page on my wordpress website.

        It turns out that on the pages where it was showing up, a wp-admin resource, in this case something from a plugin, was being pulled in and that seems to have triggered the pop up. I’ve since disabled the plugin and the password pop up no longer shows up on those pages.

        So, I’d open the source and search for wp-admin to see what’s causing the pop up to appear.

        • Editorial Staff

          The most common file that is loaded is admin-ajax.php, and we already covered that. If a plugin is loading another file, then yes you have to account for that.

  33. aditya

    I followed up as you said.
    I protected my wp-admin directory and It’s working for login but the same popup is always coming out while navigating through site ????

    • Editorial Staff

      This means that you have the code in the wrong .htaccess file. You need to create a brand new .htaccess file in your /wp-admin/ folder. It sounds like that you pasted the code in your main .htaccess file.

      Administrador

  34. 20Music

    Hi,
    I followed the suggestion found on your site. I created password from cpanel on the wp-admin folder and it done ok for admin login page but on every link that I click in the website, a popup will appear asking for identification. Everything is alright when I clicked cancel.
    Do you know what is the issue with it?

    I used the ErrorDocument 401 default on main .htaccees too.

    Thanks

    • Editorial Staff

      Can you please verify that the password protect thing is in a separate .htaccess file in your wp-admin folder?

      Administrador

      • Brad LeBlanc

        I tried it and I got no window just a 404 error( too many http directs).
        And I was blocked out of everything until I disabled the password. What gives?

        • Editorial Staff

          Did you do the .htaccess trick we mentioned in the article which fixes the 404 error.

  35. Andrew

    Thanks for the excellent help on wpbeginner!

  36. Ariel

    I edited my .htaccess root file (to put the errordocument rule), and the pop-up worked well, but all my post links gives me a 404 error. I think that is a rewrite rule problem :( Thanks

    • Editorial Staff

      Go to your Settings > Permalinks. Just click save and hopefully that will solve the issue.

      Administrador

      • vic

        the permalink refresh worked! thanks, you saved me from many headaches..!

  37. Tomy

    Really helpful info thanks, I just had a breach apparently, 3 files we added to my Wordpress install. 1into wp-admin, 1 to wp-admin/images and 1 to wp-includes.
    All were php files. One of them had base 64 encoded crap in it.

    Will setup the htaccess in wp-admin, and limit login attempts plugin seems to provide done nice info.

    Oh I was able to notice the files that were added to my install because Wordpress file monitor plugin alerted me.

  38. Mao Shan

    Hi,

    I followed the suggestion found on the internet on how to secure wp-admin folder. I created a .htacess to password protect the folder. However after implementing it, on every link that I click in the website, a popup will appear asking for identification. Everything is alright when I clicked cancel. Do you know what is the issue with it? I want to secure my wp-admin folder but I don’t want the popup on all pages/links. Currently using Mayashop theme and woocommerce plugin only.

    Thanks

    Below is my sample of .htacess

    Order allow,deny
    Allow from all
    Satisfy any

    Order allow,deny
    Allow from all
    Satisfy any

    Order allow,deny
    Allow from all
    Satisfy any

    AuthType Basic
    AuthName “Admin Only”
    AuthUserFile “(myurl)/.htpasswds/public_html/wp-admin/passwd”
    require valid-user

    • Editorial Staff

      If your .htaccess file is in your /wp-admin/ then this shouldn’t happen. Unless you are loading WordPress admin assets on your front-end.

      Administrador

      • Mao Shan

        Well the .htaccess file is in wp-admin folder. I changed the theme back to twentyeleven and everything works fine. Only on the other theme, the authorisation required pops out on all pages/links.

        I added below line and everything seems alright but when I got to url/wp-admin, it shows Error 310 (net::ERR_TOO_MANY_REDIRECTS): There were too many redirects. What is the reason?

        Files ~ “\.(php)$”
        Order allow,deny
        Allow from all
        Satisfy any
        Files

        • Editorial Staff

          Did you read the part of the article that talks about that error specifically?

        • Mao Shan

          Hi, I manage to solve it after a clean wordpress install. problem is I am now unable to create contact form as it will direct me to error 404 and when i activate xcloner plugin, it also redirect me to error 404.

          Any help?

  39. Sudeep Acharya

    I have password protected wp-admin. But inspite of this someone is able to bruteforce on my blog. What may be the possible reason for this?

    • Editorial Staff

      How do you know that they brute-forced and logged-in to your wp-admin? This sounds really suspicious. Often when this happens, the user has a backdoor in place.

      Administrador

  40. Sudeep Acharya

    I had got too many redirects loop and just adding this code
    ErrorDocument 401 default

    in .httaccess fixed the problem.

    • Ahsan

      Tell me where to put this line… please

  41. ahmedsheeraz

    ErrorDocument 401 default saved my life :)

  42. John RIker

    I use Cpanel and went through how it was to be set up and did that, also the user and passwor.

    However, what I found out after hours of frustration is that the main .htaccess must have this added: ErrorDocument 401 default

    If you add that only to the main .htaccess file it all works. at top before the begin wordpress your world will be much more relaxed. Thats after you set protect directory in cpanel

    Thanks, used you page with a little twiking and its works great.

  43. damian

    I’m getting so discouraged. My site hacked after only 2 days of being up! The amount of steps needed to take to protect the site is overwhelming, and then they still can get in…

    And every “authority” seems to have a different opinion or approach or favorite plugins… my head is spinning…can you please give a basic numbered run down of steps to take to keep from getting hacked…including cpanel, backend wp, and any other things you might think helpful…and hopefully steps that don’t require an A+ cert….thanks man!

    • Editorial Staff

      We really apologize for the experience you have had so far. Speaking from this moment, there are no known security issues in the WordPress core. So if you are using the most up to date version of WordPress, then that is good. Often the security issues are with poorly coded plugin and themes. Before you can secure your site, you have to clean it up. Sometimes, changing your passwords and adding all these measures are not enough. Because the hackers can leave backdoor access files which gives them shell access to your server. We highly recommend that you start using Sucuri and have regular backups.

      https://www.wpbeginner.com/opinion/reasons-why-we-use-sucuri-to-improve-wordpress-security/

      Make sure to keep your plugins and core files updated at all times. Don’t use plugin/themes from untrusted sources. WordPress has become the Windows of our time. Because there are so many sites using it, hackers have the motivation to find the exploits in plugins, themes etc.

      We will work on creating a comprehensive tutorial on security.

      Administrador

  44. bob

    I password protected my wp-admin on my sites but I was still getting lockout notices from lilmit login plugin. How could that be?
    I then noticed if I type in /wp-login.php? instead and then cancel I can get to the login page. Uggggh. Makes me wonder what other workarounds there are that I don’t know of.

  45. Peter

    THE SOLUTION FROM HOSTGATOR
    It appears that a security plugin had added a rewrite to the .htaccess file within wp-admin/ for your account. This was causing the site to redirect to itself causing a redirect loop.

    I have corrected the issue with .htaccess file and your wp-admin login page is loading correctly at this time.

    If you have any other questions or concerns please let us know.

    Sincerely,
    Preston M.
    Linux Systems Administrator
    HostGator.com LLC

  46. Peter

    Had a host gator technician working half an hour on the 404 error issue. He could not resolve it.
    He even removed all rewrite rules in the public_html/.htaccess

  47. Peter

    Still having “Too many redirects” error
    The page isn’t redirecting properly

    Firefox has detected that the server is redirecting the request for this address in a way that will never complete.

    This problem can sometimes be caused by disabling or refusing to accept
    cookies.

    BUT I added:

    “Redirect 301 /tag/tax/ http://snbchf.com/tag/taxes/
    Redirect 301 /tag/interest-rate/ http://snbchf.com/tag/academical/

    Redirect 301 /tag/chf-flows-floor-ubs/ http://snbchf.com
    Redirect 301 /tag/boom/ http://snbchf.com

    RewriteEngine on
    ErrorDocument 401 default”
    to my .htaccess in the public_html directory.
    (tried also to put “ErrorDocument 401 default” at the start)

  48. Ankur

    Its a great way to protect wp-admin directory. I was using it for long time but when I installed commentluv, I had to uninstall it as it was not able to work properly.
    Do you happen to know any workaround ?

  49. mindctrl

    FYI, I’ve seen this break plugins that use ajax on the front end by calling the wp-admin/admin-ajax.php.

    • Editorial Staff

      Yes that is true. We weren’t using any plugin that was making that call. However, you can add an exception for that file in the .htaccess.

      Administrador

  50. Martin

    I am not sure what cpanel does but adding a simple htpasswd will get you the same result.

    • Editorial Staff

      Well, you can add a htpasswd. But you would also have to create a .htaccess rule in wp-admin directory to specify that you are locking the directory. Then specify the user or usergroup that is allowed etc. This basically helps us simplify the process.

      Administrador

    • zimbrul

      The above tutorial is in fact adding security with .htpassword and .htaccess via a user friendly interface in cPanel. After you’ve done the above you’ll notice a .httpassword file has been generated outside your server root (for security reasons) and within the file you’ll find the info you’ve enered as per this tutorial.

  51. Howard

    On every WP site I have, on my very first login after setup, I create another admin account with a name for which I use a formula to construct — and a very strong, computer-generated password. I then long out, and then login to the alternate admin account, and reduce the standard admin username to “no role for this site” and set a computer-generated password that is at least 35 characters long. I don’t bother to save that password anywhere. It’s now only a honeypot.

    Then I install the “limit login attempts” plugin. Any time that gets tripped, I add the offending IP address to my deny list in .htaccess to make sure that IP can’t reach my site.

    I trap 3 or 4 attempts to break into admin every week.

    • Editorial Staff

      Yes we had that too. There comes a point when attacks are bouncing IPs. Banning a huge range of IPs is not a sufficient option. We also had login restricted by IP as well, but that didn’t seem to be doing the job either.

      Administrador

      • Howard

        The “limit login attempts” plugin is pretty good. I have it set to shut off for 100 hours after 4 failed attempts, with the 4th lockout set for 4000 hours. So, even if the perp can dynamically switch IPs, he has to do so every four tries. And with a really long random password, that should take a couple of centuries, and more IP addresses than he is likely to be able to access.

        In the highly unlikely case they crack my “admin” it won’t do them any good anyway. Any time I notice that the scumbag has actually figured out what my real admin name is (only happened once so far), I immediately create a new one, and set the old one to “no role for this site” with a really long randomly-generated password. There are a few other details (e.g., first, I have to change the email address before it will let me create the new admin account with my email), but that pretty much did the trick on that one.

        I really don’t know if this is bulletproof, but I’m hoping the scumbags decide it’s too much work and go pick on a weaker site.

        • zimbrul

          ” Any time I notice that the scumbag has actually figured out what my real admin name is…” can I ask you how did you figure that?

        • Howard

          @zimbrul Sure.

          The limit login attempts plugin tells me which user name is under attack. Usually, it’s “admin” but there was one occasion where I saw my real admin account’s name. So I created a new admin account, and left the old one there, but gutted of any access, and with a ridiculously long password.

          I’m not sure how the perp found the admin account since I assigned it an unrelated “nickname” that appears on postings. I’m guessing there is some file on the server that can be at least partially read by a hacker, and I probably need to research that.

        • Editorial Staff

          Its fairly easy to find the login name. All the person has to do is look at your author URL to know your username. For example this:

          https://www.wpbeginner.com/author/wpbeginner/

          The username would be “wpbeginner”. For most sites that is the case unless ofcourse they have changed the username like shown in this technique:

          https://www.wpbeginner.com/wp-tutorials/how-to-change-your-wordpress-username/

          If you do it like that, then your username will change, but your author URL would not.

    • zimbrul

      Howard, that’s an interesting point; I’ll try to implement that.
      Also I had problems with 404 errors or too many redirects and I didn’t know the fix, thanks for that!
      For some reason, banning the IP address in .htaccess in wp-admin folder is not working for my site zimbrul.co.uk ! I’ve tried to access my site from my mobile phone on 3G and I could get through even the only allowed IP was the home IP.

Deja tu comentario

Gracias por elegir dejar un comentario. Tenga en cuenta que todos los comentarios son moderados de acuerdo con nuestros política de comentarios, y su dirección de correo electrónico NO será publicada. Por favor, NO utilice palabras clave en el campo de nombre. Tengamos una conversación personal y significativa.