New Feature: Playlist Center! Pick a topic and let our playlists guide the way.

Easy-to-follow video tutorials help you learn software, creative, and business skills.Become a member

Protecting the admin directory

From: WordPress 3: Developing Secure Sites

Video: Protecting the admin directory

In this screencast, we improve security by preventing unwanted access to the WordPress Admin directory. We do this using a small slice of htaccess code, which provides strong, flexible protection against malicious behavior. Here we are in our FTP/file editor, looking at the files in our default WordPress installation. Here is the directory that we want to protect, wp-admin, mostly because it contains a plethora of sensitive functionality.

Protecting the admin directory

In this screencast, we improve security by preventing unwanted access to the WordPress Admin directory. We do this using a small slice of htaccess code, which provides strong, flexible protection against malicious behavior. Here we are in our FTP/file editor, looking at the files in our default WordPress installation. Here is the directory that we want to protect, wp-admin, mostly because it contains a plethora of sensitive functionality.

To secure this directory, grab a copy of the blank htaccess file included in the resource files with this screencast and paste it into this wp-admin directory, as seen here. Next, open the file and then copy and paste the following code, which is also included with this screencast. Before uploading the htaccess file, we want to edit the IP address in the Allow from line to match our own.

Your IP information is readily available online, so just do a quick search for 'what's my IP?' and then click on one of the results. Go ahead and copy, return to the htaccess file, and paste that IP address into place, like so. Then save and upload the file to your server. And now, with that, all requests that are not from my IP address are going to be denied access to anything in the Admin area.

To see this, let's visit the site from a proxy server. There are many available online. Just do a quick search for proxy and pick your favorite. Here is a random 'proxy' that seems to be working. So let's try accessing our wp-admin directory by entering our URL in the Web Address field. Click on the Go button to see the results. Here at the top, we see that the remote server has returned a (403) Forbidden error, which is just what we want.

That means that we were denied access to the Admin area, so the htaccess protection that we uploaded here is working great. But do we still have access from our own address? Let's check by requesting the same page from our whitelisted IP address and sure enough, here is the Login page for our Admin area. We do have access. We're all set now, but there are a couple of things to keep in mind. First, if you aren't able to work with htaccess files, you may want to check with your web host.

On most setups these days, it's pretty easy to password-protect directories from your server control panel. And lastly, you can always add other IP addresses and allow access, like so. Simply copy and replicate the line and replace the IP address with any IP address, such as a mobile device or a different computer from which you would like to access the Admin area. Whatever it is, enter the IP address there and then upload to your server.

You may replicate this pattern as many times as necessary to account for as many IP addresses as you would like. In this screencast, we better secured the WordPress Admin area by protecting the files in the WordPress Admin directory, which is a very critical part of any WordPress site.

Show transcript

This video is part of

Image for WordPress 3: Developing Secure Sites
WordPress 3: Developing Secure Sites

36 video lessons · 11192 viewers

Jeff Starr
Author

 

Start learning today

Get unlimited access to all courses for just $25/month.

Become a member
Sometimes @lynda teaches me how to use a program and sometimes Lynda.com changes my life forever. @JosefShutter
@lynda lynda.com is an absolute life saver when it comes to learning todays software. Definitely recommend it! #higherlearning @Michael_Caraway
@lynda The best thing online! Your database of courses is great! To the mark and very helpful. Thanks! @ru22more
Got to create something yesterday I never thought I could do. #thanks @lynda @Ngventurella
I really do love @lynda as a learning platform. Never stop learning and developing, it’s probably our greatest gift as a species! @soundslikedavid
@lynda just subscribed to lynda.com all I can say its brilliant join now trust me @ButchSamurai
@lynda is an awesome resource. The membership is priceless if you take advantage of it. @diabetic_techie
One of the best decision I made this year. Buy a 1yr subscription to @lynda @cybercaptive
guys lynda.com (@lynda) is the best. So far I’ve learned Java, principles of OO programming, and now learning about MS project @lucasmitchell
Signed back up to @lynda dot com. I’ve missed it!! Proper geeking out right now! #timetolearn #geek @JayGodbold

Are you sure you want to delete this note?

No

Thanks for signing up.

We’ll send you a confirmation email shortly.


Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

Keep up with news, tips, and latest courses with emails from lynda.com.

Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

   
submit Lightbox submit clicked
Terms and conditions of use

We've updated our terms and conditions (now called terms of service).Go
Review and accept our updated terms of service.