Password-protect Your Wordpress Wp-admin Folder

How to Password Protect Your WordPress Admin (wp-admin) Directory

With WordPress being the most widely used CMS on the internet, its wp-login.php and wp-admin pages are frequent targets of automated attacks, brute-force attempts and bots. Adding a second layer of authentication significantly reduces the risk of compromise by blocking these attacks before they even reach WordPress.

This guide shows you how to add an additional password prompt to your /wp-admin/ directory using cPanel’s built-in tools.

1. Open the Directory Privacy Tool in cPanel

Log in to your cPanel account and scroll to the Security section. Click:

Directory Privacy (previously called “Password Protect Directories”).

Password Protect Directories

When the popup asks which directory to open, choose Web Root. Navigate to the folder where your WordPress installation is located, then click on: 

/wp-admin/

You will now see the Directory Privacy settings screen:

Security Settings for a Folder

2. Enable Password Protection

To activate protection:

  1. Tick the checkbox labelled "Password protect this directory".
  2. Enter a name for the protected folder (e.g., WP Admin Security).
  3. Click Save.

Now create a username and password that will be required before anyone can enter the /wp-admin/ area:

  1. Click Add User.
  2. Choose a username and secure password.
  3. Save the new credentials.

From now on, visiting /wp-admin/ will show a login prompt before loading WordPress:

Authentication Required

3. Fixing Common Errors (404, Redirect Loops, “Page Isn’t Redirecting Properly”)

Some servers may encounter redirect conflicts when /wp-admin is password protected. If you see:

  • 404 Not Found
  • Too many redirects
  • The page isn’t redirecting properly

Add the following line to the top of your main WordPress .htaccess file (above the WordPress rules):

ErrorDocument 401 default

This stops Apache from redirecting to a custom error page and resolves most authentication loops.

4. Fixing the Admin Ajax Issue

Password protecting /wp-admin/ can break front-end AJAX functionality, because admin-ajax.php lives inside the protected directory. Plugins and themes that rely on AJAX may stop working.

To fix this, edit the .htaccess file inside your /wp-admin/ folder ONLY (not the main one):

<Files admin-ajax.php>
    Order allow,deny
    Allow from all
    Satisfy any
</Files>

This allows AJAX requests to bypass the directory authentication while keeping wp-admin secure.

5. Your WordPress Admin Is Now Double Protected

With directory authentication enabled, attackers and bots can’t even reach wp-login.php or your WordPress login form. This dramatically reduces login attempts and server load.

You should also enable **two-factor authentication** inside WordPress for maximum security.

Optimised WordPress Hosting for Maximum Speed

Boost your website with our high-performance WordPress hosting, automatic updates, premium toolkit & built-in security.

View WordPress Hosting →
Was this article helpful?

mood_bad Dislike 0
mood Like 2
visibility Views: 16959

Need more information or have a question ?