Admin folder in WordPress holds the key to access your entire website. Hackers always try to get into the Admin folder to hack a site. There have been numerous website hacking cases reported where it was found that the hackers got possession of the WP-Admin folder and hence, they had the access to the rest of the website. Therefore, some people think twice before creating a website on WordPress. But if you already have a WordPress website, you can protect your admin folder in WordPress by limiting access in .htaccess.
There are various ways to protect your admin folder in WordPress by limiting access in .htaccess. You can do so using plugins but the recommended method is by configuring the .htaccess file manually. When you do it manually, there are various security measures that you can take to prevent different types of hacking attempts. Note, .htaccess is a very powerful file that not only helps you in security matters but also has the configurations to improve site’s performance drastically.
How To Protect Your Admin Folder In WordPress By Limiting Access in .htaccess (By Plugins)
WordPress is popular for its plugins and there are plugins for literally everything. WP Security Scan is a plugin that you will need to protect your admin folder in WordPress by limiting access in .htaccess file.
Go to Plugins option on the left menu of the Dashboard and click on Add New option. In the search box, type the name of the plugin which is WP Security Scan. Once the plugin is found and installed, go to the settings of the plugin. You will find .htaccess in the file scan report and you can set the permission settings of the file and sub-parts to protect your admin folder.
Even though the plugin has not updated for a couple of years, it is fully functional and the only plugin in the market that lets you change settings in the .htaccess file. It recommends the corrective actions you can take and hence, you do not have to be an expert to do the changes. It hides WordPress version, provides database security and WordPress admin protection and security measures.
Apart from that, you can also install popular security plugins like All In One WP Security & Firewall as Wordfence Security.
How To Protect Your Admin Folder In WordPress By Limiting Access in .htaccess (Manually)
With plugins, you have limited settings and if one of such plugins itself gets hacked, then your website will become vulnerable as well. Therefore, it is always recommended to take things into your own hand and configure .htaccess file yourself. Furthermore, there are a lot of security measures you can take by inserting code snippets.
Accessing .htaccess File
You would need FTP software to access your files and folders of your website. FileZilla is the best FTP software. Install and open it and then log into your cPanel account. Note that you might see a different .htaccess file in different folders or in the root directory. Do not edit those at all. You have to edit only the .htaccess file residing inside WP-Admin folder. Therefore, move inside WP-Admin folder and spot the .htaccess file. In case you do not have one, you have to create it with the name .htaccess. Make sure that you take a backup of the file before editing it. This is how .htaccess looks like.
1. Restricting Admin Access
The first thing you need to do is to restrict any other computer or device from accessing your website as the admin other than your device or computer. You can achieve this by allowing your IP address only. If you have multiple devices, you can allow IP Address of each one of them. From the security point of view, it is the strictest step you can take ever take but it also restricts you from accessing your Admin panel from anyone else’s computer.
Add the following code below #END WordPress which is the last line in the .htaccess file. Place your IP addresses corresponding to the allow statement and you can have as many allow statements as you want.
2. Protect wp-config.php
Wp-config.php is the most important file and it has vital information about your website. You have to make sure that the file does not reach the hackers by any means else your website is sure to get hacked. You can deny access to your wp-config.php from everyone other than yourself. Paste the following code snippet in the .htaccess at the end of all the lines.
3. Ban Malicious Users By Their IP Address
There are some users who are potential hackers and they try to use brute force attack methods and other means of hacking. You need to ban those users by their IP addresses. Just install any simple lightweight security plugin and you will get notifications with IP address when someone tries to log into your website with brute force attack system. Use the following code snippet to complete that goal.
4. Disable PHP Execution
Sometimes some of the themes have backdoors for hackers to hack into your website if you use those themes. Most of the backdoor files are stored in different directories such as wp-includes and uploads. Even when your website is hacked and you recover from it, hackers can cleverly create some backdoors you placing PHP codes in some files or save infolders that are undetectable. You can stop that by disabling PHP execution in certain folders. Use the following code snippet to achieve that.
5. Disable Directory Browsing
Something hackers browse different directories of your WordPress website and do malicious works like placing code snippets for creating backdoors, deleting important files and likewise. You can disable accessing any folder with the following code snippet.
6. Restricting Access To WP-Content
The most important folder for a WordPress website is WP-Content where all the images, theme files, plugin files are stored. If someone gets access to that folder and delete everything and if you have no backup, your website is gone. Furthermore, hackers can place malware and virus in that folder and your website can crumble. Place the following code snippet in .htaccess file and you can deny everyone access to the wp-content folder.
Apart from that, you can disable image hotlinks to prevent someone else linking to your images and slowing down your website. One can also set up general redirection and 301 redirects through .htaccess file to let the visitors know that you have moved content to a new location.