In this guide I will walk you through limiting access to the /wp-admin directory, and the wp-login.php script, which will lock down and password protect your WordPress website from invalid login attempts.

If you haven't already, I'd suggest checking out my article about the WordPress brute force attack that has recently been going on that prompted me to write this article.

Password Protecting the WordPress login:

Using the steps below, I'll show you how to create password protection for your /wp-admin directory, as well as how to copy those rules over to also protect your wp-login.php script.

Please note that it's been reported to us in certain cases following these steps will result in a re-direct loop. If you're having that issue, please ensure you have the following two entries at the top of both .htaccess files:

ErrorDocument 401 "Denied"
ErrorDocument 403 "Denied"

  1. Login to the cPanel.
  2. Under the Security section, click on Password Protect Directories.
    This is an image of the Password Protect directory button.
  3. Then, choose the Document Root for your domain, and click Go. Now, click on your wp-admin directory.
  4. Check Password protect this directory, give it a name, then click Save.
    recording your settings for directory protection
    Now, click on Go Back.
  5. Click the Password Generator button,then click the Generate Password button a few times, and copy your password.
    Check I have copied this password in a safe place.
    Then click Use Password.
  6. Now type in a Username, then click on Add/modify authorized user.
    creating a new user for password protected directory
  7. Try to access your /wp-admin directory.
    You'll be prompted for the username/password you just created.
    Type them in, and click Log In. Your normal WordPress admin login page should now be displayed.
  8. Now go back to cPanel.
    Under the Files section, click on File Manager.
    Select the Document Root for your domain.
    Check Show Hidden Files (dotfiles), then click Go.
    accessing the file manager
  9. From the left-hand directory listing, expand public_html.
    Click on wp-admin, then right-click on your .htaccess file.
    Then click on Edit
    For the encoding pop-up, simply click on Edit again to bypass that.
  10. Copy all of the code in the .htaccess file.
  11. From the left-hand directory listing, click on public_html.
    Right-click on your .htaccess file, then click on Edit.
  12. Now paste the .htaccess code you copied, in-between some <FilesMatch> tags, so that it ends up looking like this:

    <FilesMatch "wp-login.php">
    AuthType Basic
    AuthName "Secure Area"
    AuthUserFile "/home/example/.htpasswds/public_html/wp-admin/passwd"
    require valid-user

    Then click on Save Changes up at the top-right. Now if someone tries to directly login via wp-login.php they will be prompted for a valid user as well.

    authentication required to access wp-login.php
  13. When invalid credentials are entered in, the user will get an Authorization Required error, and not even be able to attempt to login to your WordPress admin directly.

Congratulations, now you know how to protect your WordPress website from unauthorized login attempts, by requiring a username and password before an attempt to directly login to WordPress is even allowed.

Did you find this article helpful?

We value your feedback!

Why was this article not helpful? (Check all that apply)
The article is too difficult or too technical to follow.
There is a step or detail missing from the instructions.
The information is incorrect or out-of-date.
It does not resolve the question/problem I have.
How did you find this article?
Please tell us how we can improve this article:
Email Address

new! - Enter your name and email address above and we will post your feedback in the comments on this page!

Did you find this article helpful?


n/a Points
2015-05-07 4:47 am

I am trying to deny access to WP-Login of my wordpress sites, and your instructions are somewhat unclear since there are no FilesMatch tags, and this is all I see:

<Files 403.shtml>

order allow,deny

allow from all




12,339 Points
2015-05-07 4:00 pm
Hello Manuel,

Thank you for contacting us. You must create/add the " " tags.

I recommend copying them from the example above.

Thank you,
n/a Points
2017-08-04 2:10 pm

It worked like a charm. I just deleted the password protection for public_html. I nearly edited all php files in wordpress installation directory and now i figured out that the problem comes from cpanel. Thank you so much!

Post a Comment

Email Address:
Phone Number:

Please note: Your name and comment will be displayed, but we will not show your email address.

Wordpress Security

Related Questions

Here are a few questions related to this article that our customers have asked:
Ooops! It looks like there are no questions about this page.
Would you like to ask a question about this page? If so, click the button below!
Need More Help?

Help Center Search

Current Customers

Email: Ticket: Submit a Support Ticket
Call: 877-595-4HUB (4482)
757-416-6627 (Intl.)
Chat: Click To Chat Now

Ask the Community

Get help with your questions from our community of like-minded hosting users and Web Hosting Hub Staff.

Not a Customer?

Get web hosting from a company that is here to help.