Passwords

Don’t Use a Password Protection on wp-admin Folder

Blog Passwords Don’t Use a Password Protection on wp-admin Folder
2 comments

On the Internets you will find many posts that explain how to use a password protection on your back-end using a auth password.

There is a problem

But there is one big problem with that is it will break all your admin-ajax.php and admin-post.php requests.

In the WordPress Codex you will find a page that will explains how to implement AJAX. You’ll read that admin-ajax.php lives in /wp-admin/.

Using a password protection for this directory, you’re blocking access to that file which means that all AJAX requests will be broken.

There is a solution

You can correctly do this, but there is only one good way:

AuthType Basic
AuthName "Protected page"
AuthUserFile /home/.htpasswd

Require valid-user
<Files admin-ajax.php>
  Order allow,deny
  Allow from all
  Satisfy any
</Files>
<Files admin-post.php>
  Order allow,deny
  Allow from all
  Satisfy any
</Files>
<Files "\.(css|gif|png|js)$">
  Order allow,deny
  Allow from all
  Satisfy any
</Files>

Doing that, you’ll block your/wp-admin folder but NOT for theajax/post and content files likejpg/css/js. This, is the way to do it.

You can use htaccesstools.com to generate you .htpasswd file then copy it in your server like in the example: /home/.htpasswd.

htpasswd generator field

htaccesstools.com

Now, remember, that password protection is NOT the only way to protect your content and files. Our SecuPress plugin will easily help you to do that without having to touch any line of code.

2 comments

Almost correct. The last bit should be:

Order allow,deny
Allow from all
Satisfy any

The problem is that bots are hammering the admin ajax, consuming CPU ? Is it possible to block it from external users but allow only for plugins? This question stays unanswered on the whole net.

Leave a Reply