Protecting the WordPress wp-admin folder

January 16, 2007 by reuben | Filed under Wordpress.

After reading about greywolf’s blog being defaced as well as a few others, I thought I’d tighten up security a little. According to comments by shoemoney, it looks like the vulnerability is exposed by accessing some of the files contained within the /wp-admin folder. This should be fixed with the 2.0.7 WordPress upgrade [2.1 is also now available], however, let’s add a little extra security with a htaccess file. This will limit access to this folder by IP address. Any attempts at accessing any file within this folder will be greeted with a Forbidden error message.

I placed this file in the /wp-admin folder (DO NOT REPLACE/EDIT THE .htaccess FILE IN THE ROOT FOLDER OF YOUR BLOG)

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Example Access Control"
AuthType Basic

order deny,allow
deny from all
allow from xx.xx.xx.xx
allow from xx.xx.xxx.xx

Update: Note that this is was temporary fix until the next version of WordPress came out. If you do limit access to your wp-admin folder by IP address you may have to update it if your internet provider assigns you a dynamic IP address, you move to another location or you have authors at other locations.

You may also want to check out Michael’s Login Lockdown plugin which will prevent attackers trying to brute force their way in. Failed login attempts are recorded and after a set amount of failed logins, it blocks an IP range for 1 hour by default.


75 Responses to “Protecting the WordPress wp-admin folder”

  1. [...] Update: Be sure to look at a post from Reuben Yau on Protecting the WordPress wp-admin folder with htaccess. You are putting that file in the WP-Admin folder not the root folder. Share and Enjoy:These icons link to social bookmarking sites where readers can share and discover new web pages. [...]

  2. jason says:

    What do I name the file and what does this do exactly for the wp-admin folder??

  3. reuben says:

    Jason: the file needs to be named “.htaccess” without the quote marks. It prevents hackers trying to get into your WordPress administration area by only allowing access to the listed IP addresses. This was really intended as an emergency/temporary solution when someone found a WordPress exploit, however, if you’re running the latest version you should be safe from that particular issue.

  4. Hey Guys,

    Nice tips, I will launch a blog based at my site… I will apply some of…

    Take care…

  5. Superwinch says:

    Great article and useful, tnx dude.

  6. [...] Put .htaccess in /wp-admin/ He points to this article of Protecting the WordPress wp-admin folder. This will limit access to this folder by IP address and attempts at accessing any file within this [...]

  7. [...] is the most drastic measure you can take. i.e. to block access to the wp-admin directory using htaccess. But this will work only if you browse the net with a Static IP address. Also this [...]

  8. said says:

    I’ve read the commnets of Matt Cutts about WordPress – he says that keeping the .htaccess file in root directory is unsafe. How can it be moved to /wp-admin/ directory?

  9. reuben says:

    said

    WordPress uses it’s own .htaccess in the root of the blog – do not edit or move that file.

    The tips here are to create a new .htaccess file and store it in the wp-admin folder.

    Do not edit or overwrite the .htaccess file in the root of your blog as you may completely break your blog.

  10. [...] may also want to block access to the wp-admin folder via a .htaccess file, as described by Reuban Yau.? If you are? denying access based on IP Address, make sure you list at least one IP Address that [...]

  11. [...] reading about this on digg a while back and sure enough after a bit of browsing i came across this article which has 800 diggs. Notice the date; Jan 16th ‘07.. i was back from barcelona on the [...]

  12. [...] with the wp-admin folder. So for extra tight security Reuben Yau gives a method to Protect the WordPress wp-admin folder. However if the computer you access your blog from has a dynamic IP address assigned by your ISP [...]

  13. [...] wp-admin folder using .htaccess – There is an article written Reuben that talks about how you can protect your WordPress admin folder by allowing access to it from a defined set of IP addresses. Everything else will bring up a [...]

  14. Tracy says:

    That is actually good advice reuben, god I wish I would have know that a few months ago, it would have saved me some pain.

  15. I am wondering how to separate wp-admin and place it in another server instead being on one server with the display.

  16. [...] As Matt recommends, lock down your wp-admin directory using this. He uses an .htaccess to block all but a few IP addresses, but there are other ways to do this as well. Here’s [...]

  17. [...] Limit access to wp-admin folder by IP address- This solution is to restrict which IP’s can access the wp-admin folder via .htaccess. This has one drawback is you may have to update your .htaccess folder if your internet provider assigns you a dynamic IP address, you move to another location or you have authors at other locations. [...]

  18. mysticc says:

    u know i am trying to do that but for some reason i am geting the right path…i am tryig to protect my admin panel…i have read many htacess but still for some resaon not sccessful

    i dont knw how to go about doing it

    AuthUserFile /dev/null
    AuthGroupFile /dev/null
    AuthName “Example Access Control”
    AuthType Basic

    order deny,allow
    deny from all
    allow from xx.xx.xx.xx
    allow from xx.xx.xxx.xx

    also with ur method with ip if they have dynamic ip how would u go about doing that

  19. [...] Plug-in pages: Limit access to wp-admin folder by IP address [...]

  20. [...] Limite o acesso ao wp-admin via IP – esta soluo serve para limitar quais IPs podem acessar a pasta wp-admin do seu blog WordPress via “.htaccess”. Para mais informaes… [...]

  21. [...] http://www.reubenyau.com/ Disclaimer: Brad Blogging is not responsible for, and expressly disclaims all liability for, [...]

  22. [...] to Matt, Reuben and my buddy ShoeMoney I also got a lot of assistance from David Geere from the awesome [...]

  23. [...] Limit access to the WP-ADMIN folder This solution is to restrict access to the folder to only specific IP addresses using a .htaccess file. I recommend this for the more advanced user and should only be used if you know for a fact that you have a static IP address. Otherwise, you risk locking yourself out of your own WP-ADMIN folder. Most users will probably have a dynamic IP address that changes frequently, so this modification may not be suitable. [...]

  24. [...] to Matt, Reuben and my buddy ShoeMoney I also got a lot of assistance from David Geere from the awesome [...]

  25. BOB says:

    Reubenyau

    Im using a hosting plan that allows multiple domains, The problem im having is this htaccess isnt working on this peticular plan, Im guessing its something to do with the dev/null/ maybe

    It works on single domain plans though, as ive tested it

    Please get back to me, I need to protect my sites.

  26. I cannot emphasise enough how important it is to protect your admin directory. Given this post relates to version 2.1 don’t think the latest version (2.7) should take care of this security issue. WordPress is pretty good out of the box but addtional protection in the form of htaccess file is a must have no matter what version you are using.

  27. [...] Source: Protecting the WordPress wp-admin folder [...]

  28. [...] Deny access to the WordPress admin folder by ip address. You can read more about this method over on Reuben Yaus post Protecting the WordPress wp-admin folder. [...]

  29. [...] Source: Protecting the WordPress wp-admin folder [...]

  30. [...] tulisan ini ada di situs ini dan artikel ini. Selamat [...]

  31. [...] Source: Protecting the WordPress wp-admin folder [...]

  32. Lyndon says:

    Thanks for the tips on how to fix this issue with wordpress. Till they launch their updated version this can keep things under control.

  33. [...] Limit access to wp-admin folder by IP address- This solution is to restrict which IP’s can access the wp-admin folder via .htaccess. This has one drawback is you may have to update your .htaccess folder if your internet provider assigns you a dynamic IP address, you move to another location or you have authors at other locations. [...]

  34. joe says:

    I used the code below to protect wp-admin. Now all users who go to the main page are being prompted the the “WordPress Admin Access Control” password rather than the password assigned to their subscriber accounts. If they hit cancel several times, the login page that uses the subscriber info appears. Any ideas?

    AuthName “WordPress Admin Access Control”
    AuthType Basic
    AuthUserFile /homepages/**/********/htdocs/.htpasswd
    order deny,allow
    deny from all
    require valid-user
    # whitelist *****s IP address
    allow from **.**.***.***
    Satisfy Any

  35. [...] from all For more refer to Apache’s documentation on mod_access to see the example: Protecting The WordPress wp-admin Folder Alternate Solution through user and password combination: There is another way to protect wp-admin [...]

  36. [...] Create a htaccess file in ./wp-admin – Here’s a good post by Reuben Yau with instructions -> http://www.reubenyau.com/protecting-the-wordpress-wp-admin-folder/ [...]

  37. [...] deny from all For more refer to Apaches documentation on? mod_access to see the example:? Protecting The WordPress wp-admin Folder Alternate Solution through user and password combination: There is another way to protect wp-admin [...]

  38. [...] Source: Protecting the WordPress wp-admin folder [...]

  39. [...] Limit access to wp-admin folder by IP address- This solution is to restrict which IPs can access the wp-admin folder via .htaccess. This has one drawback is you may have to update your .htaccess folder if your internet provider assigns you a dynamic IP address, you move to another location or you have authors at other locations. [...]

  40. [...] from all For more refer to Apache’s documentation on mod_access to see the example: Protecting The WordPress wp-admin Folder Alternate Solution through user and password combination: There is another way to protect wp-admin [...]

  41. [...] Limit access to wp-admin folder by IP address- This solution is to restrict which IP’s can access the wp-admin folder via .htaccess. This has one drawback is you may have to update your .htaccess folder if your internet provider assigns you a dynamic IP address, you move to another location or you have authors at other locations. [...]

  42. [...] 捍卫你的wp-admin文件夹 1).通过限制IP地址访问wp-admin文件夹 [...]

  43. [...] Plenty of methods exist for preventing access to these files, but IMO they are all overly complex, annoying, or [...]

  44. [...] is an article written Reuben that talks about how you can protect your WordPress admin folder by allowing access to it from a defined set of IP addresses. Everything else will bring up a [...]

  45. [...] Protecting the WordPress wp-admin folder [...]

  46. [...] một số IP nhất định. Để làm việc này, bạn cần tạo một file htaccess dạng như sau trong thư mục gốc của blog WordPress [...]

  47. [...] GET>order deny,allowdeny from allallow from xx.xx.xx.xx</LIMIT>参考:Protecting the WordPress wp-admin folder10. [...]

  48. [...] 参考:Protecting the WordPress wp-admin folder [...]

  49. [...] 参考:Protecting the WordPress wp-admin folder [...]

  50. [...] 插件页面: Limit access to wp-admin folder by IP address [...]

  51. [...] một số IP nhất định. Để làm việc này, bạn cần tạo một file htaccess dạng như sau trong thư mục gốc của blog WordPress [...]

  52. [...] Basic<LIMIT GET>order deny,allowdeny from allallow from xx.xx.xx.xx</LIMIT>参考:Protecting the WordPress wp-admin folder 10. [...]

  53. [...] is an article written Reuben that talks about how you can protect your WordPress admin folder by allowing access to it from a defined set of IP addresses. Everything else will bring up a [...]

  54. [...] Limit access to wp-admin folder by IP address- This solution is to restrict which IP’s can access the wp-admin folder via .htaccess. This has one drawback is you may have to update your .htaccess folder if your internet provider assigns you a dynamic IP address, you move to another location or you have authors at other locations. [...]

  55. [...] 参考:Protecting the WordPress wp-admin folder [...]

  56. Very good post, awesome read, thanks

  57. [...] 参考:Protecting the WordPress wp-admin folder [...]

  58. Super tips man. This will help me secure my blog more..

    Can also use wordpress secure connection plugin.

  59. Harry says:

    I’ve created a small script which helps people without a fixed IP to get all network ranges of their provider. The output can be directly added to the .htaccess file. Here in Germany the script works well for bigger providers, I don’t know if it works in other countries. But I assume it does.

    The output of the perl script looks like:

    allow from XXX.X.XXX.0/24
    allow from XXX.X.XXX.0/24
    ….

    The script and some more explanation is available from:

    http://technitip.net/2010/08/how-do-you-protect-your-blog-from-hackers/

    It’s only needed to replace the netname within the script. On the page it described how to find out the dial-in netname from your provider.

    I hope it’s useful.

    Greetings from Germany,
    Harry

  60. [...] from allFor more refer to Apache’s documentation on mod_access to see the example: Protecting The WordPress wp-admin FolderAlternate Solution through user and password combination: There is another way to protect wp-admin [...]

  61. [...] is an article written Reuben that talks about how you can protect your WordPress admin folder by allowing access to it from a defined set of IP addresses. Everything else will bring up a [...]

  62. victoria says:

    So if I have wp 3.0 or above is any of this necessary?

  63. [...] is an article written Reuben that talks about how you can protect your WordPress admin folder by allowing access to it from a defined set of IP addresses. Everything else will bring up a [...]

  64. Very useful tip! Thanks +1

  65. Rachel says:

    I’ve just used this because WordPress apparently still has security holes.

  66. This is little difficult for peoples with dynamic IP address. Login Lockdown seems better

  67. [...] Protecting the WordPress wp-admin folder [...]