Protecting the WordPress wp-admin folder

After reading about greywolf’s blog being defaced as well as a few others, I thought I’d tighten up security a little. According to comments by shoemoney, it looks like the vulnerability is exposed by accessing some of the files contained within the /wp-admin folder. This should be fixed with the 2.0.7 WordPress upgrade [2.1 is also now available], however, let’s add a little extra security with a htaccess file. This will limit access to this folder by IP address. Any attempts at accessing any file within this folder will be greeted with a Forbidden error message.

I placed this file in the /wp-admin folder (DO NOT REPLACE/EDIT THE .htaccess FILE IN THE ROOT FOLDER OF YOUR BLOG)

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Example Access Control"
AuthType Basic

order deny,allow
deny from all
allow from xx.xx.xx.xx
allow from

Update: Note that this is was temporary fix until the next version of WordPress came out. If you do limit access to your wp-admin folder by IP address you may have to update it if your internet provider assigns you a dynamic IP address, you move to another location or you have authors at other locations.

You may also want to check out Michael’s Login Lockdown plugin which will prevent attackers trying to brute force their way in. Failed login attempts are recorded and after a set amount of failed logins, it blocks an IP range for 1 hour by default.

About reuben 109 Articles
SEO consultant from Columbus OH.


  1. Jason: the file needs to be named “.htaccess” without the quote marks. It prevents hackers trying to get into your WordPress administration area by only allowing access to the listed IP addresses. This was really intended as an emergency/temporary solution when someone found a WordPress exploit, however, if you’re running the latest version you should be safe from that particular issue.

  2. I’ve read the commnets of Matt Cutts about WordPress – he says that keeping the .htaccess file in root directory is unsafe. How can it be moved to /wp-admin/ directory?

  3. said

    WordPress uses it’s own .htaccess in the root of the blog – do not edit or move that file.

    The tips here are to create a new .htaccess file and store it in the wp-admin folder.

    Do not edit or overwrite the .htaccess file in the root of your blog as you may completely break your blog.

  4. u know i am trying to do that but for some reason i am geting the right path…i am tryig to protect my admin panel…i have read many htacess but still for some resaon not sccessful

    i dont knw how to go about doing it

    AuthUserFile /dev/null
    AuthGroupFile /dev/null
    AuthName “Example Access Control”
    AuthType Basic

    order deny,allow
    deny from all
    allow from xx.xx.xx.xx
    allow from

    also with ur method with ip if they have dynamic ip how would u go about doing that

  5. Reubenyau

    Im using a hosting plan that allows multiple domains, The problem im having is this htaccess isnt working on this peticular plan, Im guessing its something to do with the dev/null/ maybe

    It works on single domain plans though, as ive tested it

    Please get back to me, I need to protect my sites.

  6. I cannot emphasise enough how important it is to protect your admin directory. Given this post relates to version 2.1 don’t think the latest version (2.7) should take care of this security issue. WordPress is pretty good out of the box but addtional protection in the form of htaccess file is a must have no matter what version you are using.

  7. Thanks for the tips on how to fix this issue with wordpress. Till they launch their updated version this can keep things under control.

  8. I used the code below to protect wp-admin. Now all users who go to the main page are being prompted the the “WordPress Admin Access Control” password rather than the password assigned to their subscriber accounts. If they hit cancel several times, the login page that uses the subscriber info appears. Any ideas?

    AuthName “WordPress Admin Access Control”
    AuthType Basic
    AuthUserFile /homepages/**/********/htdocs/.htpasswd
    order deny,allow
    deny from all
    require valid-user
    # whitelist *****s IP address
    allow from **.**.***.***
    Satisfy Any

  9. I’ve created a small script which helps people without a fixed IP to get all network ranges of their provider. The output can be directly added to the .htaccess file. Here in Germany the script works well for bigger providers, I don’t know if it works in other countries. But I assume it does.

    The output of the perl script looks like:

    allow from XXX.X.XXX.0/24
    allow from XXX.X.XXX.0/24

    The script and some more explanation is available from:

    It’s only needed to replace the netname within the script. On the page it described how to find out the dial-in netname from your provider.

    I hope it’s useful.

    Greetings from Germany,

54 Trackbacks / Pingbacks

  1. On Hacking and Pirates
  2. 3 New Wordpress Security Tips I Learnt from Matt Cutts
  3. Three WordPress Security Tips
  4. The First 5 Steps for Stronger Wordpress Security at
  5. Security hole in wordpress.. | Irish Internet Entrepreneur - Smemon
  6. How To Make Your Wordpress Blog Safer : | Blogging & Design
  7. 8 Security Tips and Guidelines for your WordPress Blog
  8. Three tips to protect your WordPress installation
  9. Circling the Wagons: How to Protect Your Wordpress Site | John Cow dot Com
  10. Wordpress Security Tips and Hacks
  11. 8 plugins to improve the safety of the WordPress |
  12. 8 Dicas de Segurana para Proteger seu Wordpress Blogs contra Hackers -
  13. Restrict The Wp Admin Folder on Wordpress | Brad Blogging
  14. Has Your Wordpress Blog Been Hacked?
  15. WordPress Security Keeping your blog Secure | Web Services and Tools
  16. Has Your Wordpress Blog Been Hacked? | Effective BLOGS
  17. Wordpress Blog absichern Beitrag easytopia
  18. 10 awesome .htaccess hacks for WordPress
  19. 5 WordPress Security Essentials « BlueTech IT Solutions || News, Tips and Tricks
  20. Top 10 Wordpress .htaccess hacks | The Webmaster's Blog
  21. Cara Simpel Melindungi Wordpress Anda dari Defacer Gunting Batu Kertas (GBK)
  22. Top 10 Wordpress .htaccess hacks - Vipin Lalla :
  23. Useful Wordpress Security Plugins and Tips |
  24. How To Secure Wordperss Admin From Hackers
  25. How to protect your wp-admin folder when you have a dynamic IP address | David.R.Gilson
  26. DMS Experiences – Tips & Tricks for a Better website Business online » Blog Archive » WordPress Security Tips
  27. WordPress security - The hard facts on securing your blog | Launch it Fast
  28. Wordpress Security tips from expert developer | Buddythemes
  29. Awesome .htaccess hacks for WordPress | Dhrobonil
  30. Wordpress Security Tips and Hacks | TipsViet - Blog Th? Thu?t Vi?t
  31. WordPress Security Tips | Sakin Shrestha > Management and IT Consultant
  32. Online Capture The Flag Game! Step X » Wordpress Security Tips and Hacks
  33. 关于wordpress的10条安全建议 | 三优主题
  34. Securing Wordpress: A passive method for preventing unauthorized requests to wp-admin and wp-login.php » Cory's Cogitations
  35. 伟大又神奇的.htaccess技巧(for WordPress) | 随心的海 Xpress sea
  36. 43 Excelent Wordpress Security Tips & Plugins | Hacking Truths
  37. WordPress » XMM.IR
  38. Mẹo vặt bảo mật cho Blog WordPress cá nhân « OnlineCompany's Blog
  39. WordPress的.htaccess十个技巧 - 無淚之城
  40. 关于.htaccess的10个WordPress应用技巧 – 众智信息
  41. 10个WordPress的.htaccess技巧 - 须知网
  42. 提高WordPress安全性能的8大插件 – 【大嘴的窝棚】
  43. نکاتی در مورد ایمن سازی سایت ها و وبلاگ های وردپرس- یوتویو
  44. Blog VUTHAO27 » Bảo mật cho WordPress
  45. 10个神奇的.htaccess技巧(for WordPress) | Welcome to
  47. Protecting your Wordpress installation |
  48. Security For WordPress | Web Design and Blogger Tips
  49. [转] 关于.htaccess的10个WordPress应用技巧
  50. wordpress的.htaccess设置详解 » codante
  51. WordPress Security Tips | Catch Internet
  52. 43 Excellent WordPress Security Tips & Plugins « d4rk3r
  53. Best 12 Wordpress SEO Tips and Advice |
  54. 30+ Popular .htaccess code snippets

Comments are closed.