Support » Plugin: BulletProof Security » [Plugin: BulletProof Security] Password Protecting wp-admin

  • Resolved riw


    I would like to password protect my wp-admin directory –but I can’t seem to with BP installed because of the rewrite rules it’s using in the root .htaccess file (?). Is there any way you could add the ability to add in password protecting wp-admin with the correct rewrites and 401 throws instead of 404 throws?

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author AITpro


    Add “ErrorDocument 401 default” to your root .htaccess file >>>

    Also in order to password protect you wp-admin directory you will either need to use your Web Host Control Panel and add a username and password FIRST for your wp-admin directory, which will then automatically add that username and password to your .htpasswd file or you will need to create the username and password manually FIRST in your .htpasswd file

    NOTE: .htpasswd passwords are hashed – you will need the correct MD5 algorithm in order to create a password manually.

    NOTE: Most likely your currently active BPS wp-admin .htaccess file will be overwritten by your host when you create your .htpasswd username and password (your host will generate a new .htaccess file automatically) so you will need to add the BPS wp-admin .htaccess code back into your wp-admin .htacess file manually.

    I’ve tried this –but WordPress points me to a “you’re looking for something that’s not here” page… My guess is there’s some other rewrite bp security is doing that prevents the 401 redirect from working. I have the password working –when I go into wp-admin, it asks for the password, but then I get the “you’re looking for something that’s not here” message.

    Further, I’d rather not mess with my .htaccess file manually because that will mess up the automated processing by bp security –so I’d rather see this as an option within bp security itself.

    Plugin Author AITpro


    I think you are going too deep here. What BPS does is very complex, how BPS does it is very, very simple. 😉 I have tested wp-admin password protection on WP single sites, Network / MU sites and Giving WP Its own directory sites and all worked fine without adding the ErrorDocument 401 code. This is on GoDaddy hosting so keep in mind that every single web host has its own configuration methods / files / requirements etc and this means that most things are similar on all hosts, but then there are going to be things that are going to be completely web host specific.

    Also this new .htaccess code added from “Hardening WordPress” may be a factor for your particular web host. This is not likely the issue, but you never know – different web hosts do all kinds of different things. 😉

    RewriteEngine On
    RewriteBase /
    RewriteRule ^wp-admin/includes/ - [F,L]
    RewriteRule !^wp-includes/ - [S=3]
    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
    RewriteRule ^wp-includes/theme-compat/ - [F,L]

    Look at the simple things first:
    Look at the URL’s themselves and anything that does not make logical sense. So to see the problem you need to look at the specific details of what is occurring. When you see the WP message “your looking…” what URL do you see in your Address bar?

    Then go a little deeper:
    Do you have a standard Single site WP installation?
    Ary you using “Giving WordPress Its Own Directory” WP installation method?
    Are you using any other plugins that are writing to your .htaccess files?
    Are you using any other security plugins that could be interfering with BPS?
    Are you or your Host (some do DNS stuff automatically) doing anything with DNS?

    And a final thought to leave you with – adding a second Authentication layer to an already Authentication protected directory does not make it any more secure. 😉

    I’ve tried putting in “ErrorDocument 401 default” at the top of all three .htaccess files –the root of the web site, the root of the wp blog, and in the wp-admin directory. All I get is “sorry, you’re looking for something that’s not here” errors. The url when this error shows up is:

    If it’s helpful, I’ve pushed copies of all three of my .htaccess files with password protection onto a temp directory on another web site.

    Another question –once I do this, will BPS maintain it? In other words, once I’ve manually messed with the htaccess files, what happens when I reset the BPS settings? It will wipe these changes out, correct?


    Plugin Author AITpro


    Well putting ErrorDocument 401 default does not work on GoDaddy hosting and you do not need this .htaccess code in order to handle 401’s. Every web host is different on their requirements / what they allow / what they dont allow and then everything else under the sun.

    So you can generalize in possible things that might work on different web hosts, but it is best to check what your specific web host does and does not allow. It is also important to know what your Server API is. There are major differences between CGI and DSO and now these days there are new SAPI’s like LiteSpeed and others. So a simple phone call to your web host tech support should get you the answer for .htaccess 401 handling for your particular web host.

    So if BPS is not working right out of the box, which it does in about 99.99% of all cases then you need to look at your web host’s environment (all aspects of it) to get a better understanding of things you can and cannot do with .htaccess files on your particular web host.

    I looked at your .htaccess files and they are correct. The issue is not with the BPS .htaccess files though. The issue is with your web host.

    Current versions of BPS Free and BPS Pro will not retain any custom .htaccess file additions you make. BPS Pro will have this feature added in the next version release and this may or may not be added to the free version (depends on time constraints). BPS Pro 5.2 will also detect your web host and write web host specific .htaccess code. So what BPS Free has in place now for this is you have Backup and Restore and you also have My Notes. Both of these options give you a way of saving your .htaccess customizations permanently.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘[Plugin: BulletProof Security] Password Protecting wp-admin’ is closed to new replies.