Password Protect or IP Restriction on WordPress wp-admin Folder (htaccess and htpasswd)

justyy (82)in #wordpress • 2 years ago

wordpress

wp-admin folder is the most important folder in a wordpress installation. It mainly contains the code for the Dashboard. However, there is an important file admin-ajax.php which is also necessary to send requests to backend via the wordpress UI. So simply blacklisting entire wp-admin folder may break the site functionalities.

I have been getting lots of warnings from the Plugin "Limit Login Attempts":

Wordpress Limit Login Attempts Email Warnings

Although, this plugin is sufficient in protecting your wordpress login dashboard from bruteforce attacks by lockout the incorrect attempts, but I feel it necessary to add one more extra protection.

Whitelisting admin-ajax.php in .htaccess

We can specify access rules in the .htaccess file is a hidden file at the root folder or wp-admin folder. But we have to first whitelist the admin-ajax.php and we can do it via the following:

# placing this at wp-admin folder
<Files /admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>

IP Restriction in .htaccess

Then, we can allow certain IPs to access /wp-admin only (whitelisting IP Addresses), via the following (place it the Files section mentioned above):

<Limit GET POST PUT DELETE PATCH>
order deny,allow
deny from all
allow from 12.34.56.78
</Limit>

We could also add "ErrorDocument 401 default" at the top of the .htaccess so that 401 will be shown to user if access is denied. Here is the entire source of .htaccess if you want to allow only certain IPs to be able to access the /wp-admin folder (whitelisting admin-ajax.php):

# placing this at /wp-admin folder
ErrorDocument 401 default

<Limit GET POST PUT DELETE PATCH>
order deny,allow
deny from all
allow from 12.34.56.78 # multiple whitelisted IP addresses separated by comma
<Limit>

<Files /admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>

Password Protect the Folder in .htaccess (.htpasswd)

We can also set a username and password. The credentials are stored in .htpasswd file which should be placed outside the website directory to reduce the accidental visibility (place it at your home directory for safety and remember to set the corresponding file permissions).

The .htpasswd is a text file and each line specifies a username:password format. The password is the MD5 Hash of the password.

# each line is a user
username:password_md5_hash

And then we can specify the password protection in .htaccess (complete source of .htaccess and whitelisting the admin-ajax.php): The AuthUserFile gives a complete path to .htpasswd credential file:

# placing this at /wp-admin folder
ErrorDocument 401 default

AuthType Basic
AuthName "Restricted Area"
AuthUserFile /home/user/.htpasswd
require valid-user

<Files /admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>

Then, when visiting /wp-admin, you should see a authentication dialog that pops up:

sign-in-dialog

If invalid credentials are provided, you should see the following message (401 Unauthorized):

Unauthorized This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.
Apache/2.4.41 (Ubuntu) Server at helloacm.com

We need to test /wp-admin/admin-ajax.php to see if is being whitelisted - that will return 400 Bad Request and a content body "0"

--EOF (The Ultimate Computing & Technology Blog) --

Reposted to Blog