WordPress.org

Ready to get started?Download WordPress

Forums

cant log in after password protecting admin directory (3 posts)

  1. sidmartin
    Member
    Posted 2 years ago #

    Hi friends,

    I am a newbie and know very little on this topic...I know that I need to protect my site using the .htaccess file...fortnately my host supports the password protect feature for directories.

    the problem started when I used the password protect feature from controlpanel (that automatically creates the htaccess file and htpaswd file into those folders)and changed my admin directory into protected mode...since then I am not able to see the log-in page of my wordpress site and cant access the admin area...I get an error

    " This is somehat embarrasing isnt it ?? it seems we cant find what you're looking for searching below might help"

    this happens as long as the admin directory is kept protected, and works fine whenever I remov the protection using the cpanel.

    I contacted my host and they asked me to remove the code from the .htaccess file in the admin folder..but that didnt help (ofcourse !!)..I told them that wasnt an issue and they gave up..referring me to wordpress.

    hope I get the solution here.
    hanks in advance

  2. simplybest10
    Member
    Posted 1 year ago #

    The same problem is with me for my site http://www.simplybest10.com/ and after that i removed the admin folder protection.

  3. gholem
    Member
    Posted 1 year ago #

    He, some hosting providers tend to do that, blame it on WP.

    Protecting your WP installation with an admin folder protection is not necessarily the best option.

    Whatever approach you decide, always back-up WP and all your files!

    You could make your admin address (yourwebsite.com/wp-admin) and the wp-login.php file IP based in .htaccess (careful if you have a dynamic IP), prevent access to your .htaccess and wp-config.php files in .htaccess, Hide WP admin login,

    Make wp-login.php IP based login
    This goes into your root directory .htaccess file

    <Files wp-login.php>
    Order deny,allow
    Deny from All
    Allow from xxx.xxx.xxx.xxx
    </Files>

    Where xxx.xxx.xxx.xxx = your IP

    Protect your wp-config.php
    This goes into your root directory .htaccess file

    <files wp-config.php>
    order allow,deny
    deny from all
    </files>

    Prevent directory browsing
    This goes into your root directory .htaccess file

    Options All -Indexes

    Protect your WP from script injections
    This goes into your root directory .htaccess file

    Options +FollowSymLinks
    RewriteEngine On
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
    RewriteRule ^(.*)$ index.php [F,L]

    Limit login attempts plugin

    Define unique keys and salts

    Secure your uploads directory.

    Hide login error messages.

    Always have strong passwords, never use "admin" as your admin username, hide WP version (not everyone supports this approach), move your wp-config.php file above the root directory (not always a good solution and it depends on your hosting settings sometimes) have a look on these WP security hacks and the 5G Firewall (read it carefully and test it).

    Read about Hardening WP.

Topic Closed

This topic has been closed to new replies.

About this Topic