Title: Protecting Admin Last modified: August 18, 2016 --- # Protecting Admin * [southerngal](https://wordpress.org/support/users/southerngal/) * (@southerngal) * [21 years, 9 months ago](https://wordpress.org/support/topic/protecting-admin/) * One of my friends had her WP admin hacked. Is there a way to protect the directory for the admin and have it still work for posting and editing? I cannot figure out how to .htaccess the directory and still have it work. Viewing 12 replies - 1 through 12 (of 12 total) * Moderator [Matt Mullenweg](https://wordpress.org/support/users/matt/) * (@matt) * [21 years, 9 months ago](https://wordpress.org/support/topic/protecting-admin/#post-64313) * Maybe protect it but assign it a different username and password than everything else. * Thread Starter [southerngal](https://wordpress.org/support/users/southerngal/) * (@southerngal) * [21 years, 9 months ago](https://wordpress.org/support/topic/protecting-admin/#post-64401) * Thanks Matt, how would I do that? I tried to put it in a seperate directory and .htaccess that, but, it gave me a lot of errors as everything was pointing to where it should have been. I’m talking about wp-admin. Is there another way to do this? * [Ocean](https://wordpress.org/support/users/ocean/) * (@ocean) * [21 years, 9 months ago](https://wordpress.org/support/topic/protecting-admin/#post-64448) * I used an .htaccess file to protect almost everything in my wordpress directories… including the admin one so in order to post or access the back end at all, you have to login to the web site first. Works like a charm. On the subject of hacking, it might be prudent (if this was a well done hack and not just someone with an easily guessable password) to PRIVATELY email the WP dev team and let them know how it happened. Perhaps they can fix the code for the next version if it is, indeed, something they can do. * Thread Starter [southerngal](https://wordpress.org/support/users/southerngal/) * (@southerngal) * [21 years, 9 months ago](https://wordpress.org/support/topic/protecting-admin/#post-64520) * Yup, that’s what it was, thanks Ocean!! Too cool! * Thread Starter [southerngal](https://wordpress.org/support/users/southerngal/) * (@southerngal) * [21 years, 9 months ago](https://wordpress.org/support/topic/protecting-admin/#post-64522) * I created a tutorial for this. You can find that [here](http://www.ten-sixteen.net/). Hopefully this will help other people from getting hacked like my friend. 🙂 * Anonymous * [21 years, 9 months ago](https://wordpress.org/support/topic/protecting-admin/#post-64603) * Basic Auth sends your userID and password with every single HTTP header. Basic Auth without SSL sends them in the clear. I’m not disputing the usefulness of this tip, I’d just like to understand exactly what problem is being solved. Thanks! * [carthik](https://wordpress.org/support/users/carthik/) * (@carthik) * [21 years, 9 months ago](https://wordpress.org/support/topic/protecting-admin/#post-64615) * The copyright statement on top of the tutorial is forbidding! Anon, she just wants to make sure no one without the password can access the wp folders. * Anonymous * [21 years, 9 months ago](https://wordpress.org/support/topic/protecting-admin/#post-64694) * I understand, but you already have to be logged in with a password to get to any of the PHP files in that folder anyway. It looks like you could load up the. js or .css files there, but those won’t tell you anything. Or am I missing some other dangerous files (I didn’t try all of them) that are accessible without a login? * Thread Starter [southerngal](https://wordpress.org/support/users/southerngal/) * (@southerngal) * [21 years, 9 months ago](https://wordpress.org/support/topic/protecting-admin/#post-64849) * *LOL* 2fargon! You like that copyright thing??!! Too funny. One of my friends, anon (please register here, it’s free y’know ;)) had her wp-admin backend hacked into by a pRon hacker and hijacked it. I don’t want to know why or how, I just wanted to prevent it from happening to myself and to others. 🙂 * Anonymous * [21 years, 9 months ago](https://wordpress.org/support/topic/protecting-admin/#post-64852) * Sigh. I do want to know how. I’m a web programmer and sometimes site administrator myself, so learning what is possible and what isn’t is both useful and vital to me. It’s also important that people (myself included) understand what kind of protection really is useful and what isn’t. I personally can’t yet see any significant improvement that adding basic auth protection of the wp-admin directory offers, but I’m interested to see what I might be missing. As far as registering, I know it’s easy to do. It’s just that I already have probably over 100 userIDs and passwords all over the web for sites that require them. Since this site doesn’t, I haven’t been compelled to create yet another one. Doug * [Ocean](https://wordpress.org/support/users/ocean/) * (@ocean) * [21 years, 7 months ago](https://wordpress.org/support/topic/protecting-admin/#post-65122) * No significant improvements? It’s another layer someone has to get through in order to get into the system. First, you have to get access to the directory, THEN you have to get access to the WP backend. Of course, it’s not as secure as using a password that changes every 15mins, but we can’t all afford secure IDs for a stupid little blog. 😛 * [Mark (podz)](https://wordpress.org/support/users/podz/) * (@podz) * [21 years, 7 months ago](https://wordpress.org/support/topic/protecting-admin/#post-65123) * I blogged about this the other day. I have yet to see, when I have asked for ftp / cpanel / blog details, any decent passwords. They are inevitably a birthday, a pet name, or even the persons name and age. Hardly difficult to guess. Sure a determined hacker may have more tools and knowledge at their disposal, but any (almost) site is vulnerable. The motivation behind the hacking of a blog is purely guesswork, unless it is someone known to the blogger ? And if that is the case, the password examples I gave aren’t going to hold people back for long. Use secure passwords – simple as that, and have different ones for your blog, your ftp, cpanel and mysql. Viewing 12 replies - 1 through 12 (of 12 total) The topic ‘Protecting Admin’ is closed to new replies. * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 12 replies * 6 participants * Last reply from: [Mark (podz)](https://wordpress.org/support/users/podz/) * Last activity: [21 years, 7 months ago](https://wordpress.org/support/topic/protecting-admin/#post-65123) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics