Protecting the WordPress wp-admin folder

After reading about greywolf’s blog being defaced as well as a few others, I thought I’d tighten up security a little. According to comments by shoemoney, it looks like the vulnerability is exposed by accessing some of the files contained within the /wp-admin folder. This should be fixed with the 2.0.7 WordPress upgrade [2.1 is also now available], however, let’s add a little extra security with a htaccess file. This will limit access to this folder by IP address. Any attempts at accessing any file within this folder will be greeted with a Forbidden error message.

I placed this file in the /wp-admin folder (DO NOT REPLACE/EDIT THE .htaccess FILE IN THE ROOT FOLDER OF YOUR BLOG)

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Example Access Control"
AuthType Basic

order deny,allow
deny from all
allow from xx.xx.xx.xx
allow from xx.xx.xxx.xx

Update: Note that this is was temporary fix until the next version of WordPress came out. If you do limit access to your wp-admin folder by IP address you may have to update it if your internet provider assigns you a dynamic IP address, you move to another location or you have authors at other locations.

You may also want to check out Michael’s Login Lockdown plugin which will prevent attackers trying to brute force their way in. Failed login attempts are recorded and after a set amount of failed logins, it blocks an IP range for 1 hour by default.

75 thoughts on “Protecting the WordPress wp-admin folder

  1. Jason: the file needs to be named “.htaccess” without the quote marks. It prevents hackers trying to get into your WordPress administration area by only allowing access to the listed IP addresses. This was really intended as an emergency/temporary solution when someone found a WordPress exploit, however, if you’re running the latest version you should be safe from that particular issue.

  2. I’ve read the commnets of Matt Cutts about WordPress – he says that keeping the .htaccess file in root directory is unsafe. How can it be moved to /wp-admin/ directory?

  3. said

    WordPress uses it’s own .htaccess in the root of the blog – do not edit or move that file.

    The tips here are to create a new .htaccess file and store it in the wp-admin folder.

    Do not edit or overwrite the .htaccess file in the root of your blog as you may completely break your blog.

  4. u know i am trying to do that but for some reason i am geting the right path…i am tryig to protect my admin panel…i have read many htacess but still for some resaon not sccessful

    i dont knw how to go about doing it

    AuthUserFile /dev/null
    AuthGroupFile /dev/null
    AuthName “Example Access Control”
    AuthType Basic

    order deny,allow
    deny from all
    allow from xx.xx.xx.xx
    allow from xx.xx.xxx.xx

    also with ur method with ip if they have dynamic ip how would u go about doing that

  5. Reubenyau

    Im using a hosting plan that allows multiple domains, The problem im having is this htaccess isnt working on this peticular plan, Im guessing its something to do with the dev/null/ maybe

    It works on single domain plans though, as ive tested it

    Please get back to me, I need to protect my sites.

  6. I cannot emphasise enough how important it is to protect your admin directory. Given this post relates to version 2.1 don’t think the latest version (2.7) should take care of this security issue. WordPress is pretty good out of the box but addtional protection in the form of htaccess file is a must have no matter what version you are using.

  7. Thanks for the tips on how to fix this issue with wordpress. Till they launch their updated version this can keep things under control.

  8. I used the code below to protect wp-admin. Now all users who go to the main page are being prompted the the “WordPress Admin Access Control” password rather than the password assigned to their subscriber accounts. If they hit cancel several times, the login page that uses the subscriber info appears. Any ideas?

    AuthName “WordPress Admin Access Control”
    AuthType Basic
    AuthUserFile /homepages/**/********/htdocs/.htpasswd
    order deny,allow
    deny from all
    require valid-user
    # whitelist *****s IP address
    allow from **.**.***.***
    Satisfy Any

  9. I’ve created a small script which helps people without a fixed IP to get all network ranges of their provider. The output can be directly added to the .htaccess file. Here in Germany the script works well for bigger providers, I don’t know if it works in other countries. But I assume it does.

    The output of the perl script looks like:

    allow from XXX.X.XXX.0/24
    allow from XXX.X.XXX.0/24
    ….

    The script and some more explanation is available from:

    http://technitip.net/2010/08/how-do-you-protect-your-blog-from-hackers/

    It’s only needed to replace the netname within the script. On the page it described how to find out the dial-in netname from your provider.

    I hope it’s useful.

    Greetings from Germany,
    Harry

Comments are closed.