How to password protect the wp-admin directory from WordPress?

Password protecting your wp-admin directory is one of the  recommended security measures to harden security-leaking WordPress websites.

It is a very simple effective security measure but it also has potential to disrupt the rendering of the WordPress site because the security-mind-seriously-lacking developers (kind of reminding us the well-known company whose software indirectly created the billion dollar anti-virus industry) have insisted on calling some functions for regular visitors from wp-admin directory, which should be reserved strictly for admin.

One of the current issues is the calling of farbtastic.css from wp-admin/css directory: /wp-admin/css/farbtastic.css.

If you have password-protected wp-admin directory, your visitors will be shown a forbidden sign when this file is called.

To solve this problem, you will need to whitelist this particular file or all .css files, just in case the developers add another calling to the wp-admin/css directory.

The modified .htaccess file in wp-admin directory looks like this

AuthName “protected”
AuthType Basic
<Limit GET POST>
order deny,allow
deny from all
allow from 192.168.100.1
</Limit>

#whitelisting wp-admin files
<Files “*.css” >
Order allow,deny
Allow from all
Satisfy any
</Files>

The example assumes your static IP is 192.168.100.1. If your IP address is assigned dynamically by your ISP, you may use “192.168.100.” to cover possible IP changes. If you find yourself locked out due to IP change, find your new IP, and change the old or add the new IP into .htaccess file.

Whitelisting will ensure any web-browser calling by regular visitors for any css files from wp-admin will be honored, not denied.

Be sure to check your log file to spot any denied calling to wp-admin directory and add them to the whitelist accordingly.