Protect wp-admin directory

…how with .htaccess / .htpasswd ?

The “Htaccess/WebDAV-Tool” doesn’t work !

This changes in the .htaccess-file (wp-root dir.) also doesn’t work…

AuthName "Admin-Area"
AuthType Basic
AuthUserFile /xxxx/xxxx/.htpasswd
require valid-user

<FilesMatch “(.htaccess|.htpasswd|wp-config.php|readme.html)”>
order deny,allow
deny from all

Any ideas !?
Thank you !

Are you getting a 404 Error or a Too many redirects error?

Right now… a 404 error !

This post of mine may help. It adds allowed IPs to the equation also, but you can delete that part, and it’s working htaccess code.

Explain me the differences between your and my “.htaccess-Version” !

With the standard WP-.htaccess-file (see below), it can’t be work… you get redirects !

[quote][i]# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

END WordPress[/i][/quote]

LakeRat’s is .htpasswd not .htaccess

Personally I don’t block my wp-admin since if you have Extra Web Security on, we take care of it for you. I prefer to do this:

That prevents random people from banging on my login door.

However even if you DO use .htpasswd to block wp-admin, you need the 401 redirect trick to prevent those 404s from happening.

“we take care of it for you.” - some times ago, DH get hacked… so I don’t trust “Extra Web Security” and I don’t want some hundred login-attempts, with different IPs, to the WP-admin-page.

To be perfectly frank, any site on any server, with any plugin or .htpassword, can STILL be hacked.

You protect wp-admin, and that’s great, but the real risk is your wp-content/plugins and wp-content/themes, where your themes and plugins have files that will always be (for necessity) publicly accessible, and can possibly write to the DB directly.

If you don’t want 100 login attempts, use Extra Web Security. We tied in mod_security to fail2bans to detect how many time people are hitting your login page and block them. Also use the .htaccess rules I suggested, they stop people from being able to login remotely, which means they have to use scripts that are easier for mod_security to catch.