WordPress : Password protect wp-admin directory and wp-login.php

WordPress : Password protect wp-admin directory and wp-login.php

Protect wp-admin with passwordHardening WordPress by adding both wp-login.php AND wp-admin password protection is a great way to protect your website from hackers.But isn’t it safe enough if I use a strong password on the standard wp-admin login? Well, yes, from a brute force attempt, but single factor authentication (simple username and password) means that there’s only one layer of security between you and the bad guys. Lets suppose you had to reset your WordPress password, and got it emailed to you. How secure is your email? Were you in a public wifi hotspot when you picked up that email? It’s not just about how strong your password is.We’re going to add another layer, using the web server’s own htpasswd technology. This technique can be applied to Joomla, Drupal and many other Content Management Systems with a few minor tweaks.

Why htpasswd is better than another PHP driven single factor authentication layer

While it is not the most graceful of solutions, Apache’s (assuming your webserver runs on Apache – most still do) htpasswd basic authentication system offers two great advantage over most WordPress security plugins.

  1. The user is challenged before the request for the page is served. This means that no PHP is processed until the user authenticates. That that means that no MySQL database query is processed either. When your website is under a brute force attack, all of the requests are stopped by apache. This saves a lot of CPU cycles when your site is under attack.
  2. Authentication failures get logged to the apache error_log file (/var/log/httpd-error.log or for cPanel servers /usr/local/apache/logs/error_log). Therefore if you have a login failure tracker such as LFD (which comes with CSF from configserver.com) or BFD (which comes with APF from www.rfxn.com) then the attacker will only get a handful of bites at the cherry before they get banned by the firewall. A network level ban is far better than one engineered by the application level.

Why the wp-admin directory AND wp-login.php should be protected

Many guides only suggest you protect the wp-admin folder only, but that’s shortsighted. Why? because it won’t prevent brute force attacks reaching wp-login.php which is in the top directory of your WordPress installation, eating up your bandwidth/CPU and possibly exposing your login details. So, this guide locks down both areas.

Step 1 – Protecting wp-admin using cPanel’s Password Protect Directories feature

If you don’t have cPanel, don’t panic, just click on the guide below to creat your passwd file and protect your wp-admin directory manually:

Creating the password hash and protect wp-admin manually

In cPanel, click on the Password Protected Directories icon in the Security section.

Open Password Protected Directories

Then find the wp-admin directory. Navigate through your directories by double clicking the directory names. When you find the wp-admin folder, click on the little folder icon.

Password protect wp-admin directory

Creating the user’s password hash

The screen has two areas, so we will start at the bottom, as it makes sense to create the user before we restrict access. Just enter the username you wish to use, and the password (a nice strong on of course) and click the Add/modify authorized user button.

Creating the user's password hash

You will see a confirmation message, just accept it and you will be returned to the same screen again – your new user should now appear in the Authorized Users list at the bottom. At the top of the screen, we just just need to activate the protection. Tick the check box, and enter a nice stern warning in the Name the protected directory: box as shown and click Save.

Activate password protection for wp-admin

Step 2 – Protecting wp-login.php

Currently (11.40) cPanel doesn’t provide a graphical interface for protecting individual files, so this always has to be done manually.

In the root directory of your WordPress installation, create or open the .htaccess file. At the top of it, add the following:

Note: If you protected wp-admin manually in Step 1, then change the AuthUserFile path to the passwd file you created yourself. If you used cPanel, then the path to the file will be along the lines of:

That’s it! You have now protected both wp-admin and wp-login.php – but wait! There’s more

Step 3 – Preventing 404 Not Found and Ajax errors

Two things can go wrong when you implement this, and here’s how to fix them:

404 Too many redirects error loop

HTTP Basic Auth first sends a 401 Unauthorized with it’s request for a password from the browser. The webserver tries to serve the corresponding error file usually 401.shtml. Because it can’t find it (because who creates those anyway!) it then creates a 404 error and tries to serve the 404.shtml, which it also can’t find… which creates a 404 error and tries to serve the 404.shtml, which it also can’t find… deja vu?

The simple fix is to add this to the top level .htaccess file – immediately below the statement is safest:

If that doesn’t work, create an empty file in your website’s root folder called 401.shtml and add this to your .htaccess file:

Password protect wp-admin causes problems with plugins/themes that rely on wp-admin ajax functionality

If you experience problems with ajax enabled themes and plugins, then you can add this after the first Files block you created in .htaccess in Step 2.


Jack Bogle and Bogleheads On Asset Allocation

Jack Bogle and Bogleheads On Asset Allocation

This writeup will not explain Asset Allocation, Risk vs Reward or many other related issues. It is just to serve, to me, as a reminder of the reasoning behind my personal Asset Allocation choices.

Many people over the years have asked Jack Bogle about his portfolio, hoping to divine the perfect investment mix. It’s an especially pressing question now in a volatile market, in which international events are whipsawing stocks.

The founder of Vanguard Group, the world’s largest mutual fund company, used to have a really basic portfolio that followed an asset allocation known as the 60-40 rule — 60 percent in a U.S. stock index fund and 40 percent in a U.S. bond index fund. He maintained that allocation for himself for years.

But he recently shifted his strategy by a hair: He’s now at 50/50, which makes his portfolio slightly more conservative.

“I just like the idea of having an anchor to the windward,” said Bogle, who is 86. “I’m not so much worried about having my estate grow.”


My personal Asset Allocation is currently around 21% Bonds / 10% Cash / 69% Stocks of which around 10% are International which brings us to this nice quote (below):

longinvest wrote:
Based on the above, here is the asset allocation approach that I recommend, regardless of age:

  • One should always have enough cash available to meet upcoming expenses.
  • One should have a reasonably sized emergency fund in cash.
  • The portfolio should be allocated as follows:
    1. It should only contain stocks and bonds through the use of total-market index ETFs or mutual funds.
    2. It should have no less than 25% and no more than 75% in bonds.
    3. It should have no less than 25% and no more than 75% in stocks divided as follows:
      1. It should have no less than 25% and no more than 75% of the stock allocation in the domestic stock market.
      2. It should have no less than 25% and no more than 75% of the stock allocation in international markets, without the use of currency hedging*.

Why 25% to 75%? There’s no deep theory behind these ratios. They are simply the ranges within which the allocation will have a noticeable impact on returns.

How much bonds, stocks, and international stocks, within these ranges? That’s up to each individual investor to choose according to his own perception of risks and potential rewards. The most important is to make a choice that the investor will be able to stick to regardless of how markets and inflation behave. That’s what we call staying the course.

As an example:

A 75% stocks / 25% bonds Three-Fund Portfolio with 25% of the stock allocation invested internationally would result in the following overall asset allocation:

  • Domestic stocks: 56% — (75% X 75%)
  • International stocks: 19% — (75% X 25%)
  • Bonds: 25%

As you can see, this is both within Bogle’s guidelines and the above guidelines.

I recommend that you decide for yourself about an appropriate allocation to international stocks within the above guidelines. There is simply no agreement among various Bogleheads authors (and members of this site) about how much should be invested internationally.

“When experts disagree, it is often because it does not make a foreseeable difference.” — Taylor Larimore, author of The Bogleheads’ Guide to Investing

So I want to take that recommendation and either drop International altogether or gradually work it up to 19-20% of holdings. I am leaning more towards the 20% at this point though would definitely want to get there slower than sooner.

On Bonds: I disagree with the seeming consensus of those who say one must/should hold International Bonds. Of course I have allowed a bit of International Bonds to creep into my mix and will limit it to a small percentage (4% like a large position size) of which I do not expect to impact my overall outcome significantly over time. I expect to glide, gradually, toward 50% bonds in my holdings. For a few reasons, mainly due to my liking how bonds have worked so far in my mix. Secondarily due to the general recommendations that they serve as stabilizers during market downs, though I do not really believe this, the only thing that would/could stabilize my holdings is having enough. If one does not have enough in a downturn to tie over all bets are off! That being said I am directing a 2% increase in bond holdings per year towards 50% Bonds (and Cash, Cash probably at 10% but may be lower) / 50% Stock. This does NOT include my Emergency Fund which has the following Allocation:

My Emergency Fund is current 2 years worth of expenses and is stored as follows:

Cash (Bank Savings Accounts (at least 2))- .5-1% yield – 20%
CDs (In a Ladder of sorts) – 5 year, various yields – 35%
Vanguard Short-Term Tax-Exempt Fund Investor Shares (VWSTX) – 10%
Vanguard Intermediate-Term Tax-Exempt Fund Investor Shares (VWITX) – 35%

So far I am quite happy with how my Emergency Fund has developed and worked out over the 5 years I have actually had one! I still firmly hold that the best recommendation to begin one’s financial quest is to begin with an adequate Emergency Fund and not to mingle it with the rest of one’s finances.

Now back a Asset Allocation, briefly, after all my experimenting and looking around here and there I believe the best way to invest would be to hold the following mix of funds according to ones preferred Asset Allocation:

Domestic Stocks – Vanguard Total Stock Market Index Fund (VTI, VTSAX)
International Stocks – Vanguard Total International Stock Index Fund (VXUS, VTIAX)
Domestic Bonds – Vanguard Total Bond Market Index Fund (BND, VBTLX) / Vanguard Intermediate-Term Bond Index Fund (BIV, VBILX) – Each with 50% of the Bond Allocation, example if Bonds are 50% then 25% would be Total Bond and 25% would be Intermediate-Term Bond, this is not a requirement for success, Total Bond Index is just fine. A bit more on the Bond Split can be found here.

Jack Bogle – On Bond Split

Jack Bogle – On Bond Split

The following encloses what Jack Bogle says about why he prefers Intermediate Bond to Total Bond and why it might be a good idea to have both, in equal proportions, in the future, though for most it would be simpler to have one or the other. This mainly serves as a note to myself as to why I want 50/50 Total Bond / Intermediate Bond (BND / BIV) in my tax deferred and a similar split with Munipal Bond funds (VWAHX/VWITX/VWSTX) in my taxable. You can read for yourself what Jack Bogle actually says, the following was copied from his site:

Dear Jack:

I am in the process of reading your new book”The Little Book”and in your chapter on bond funds,you state that “the intermediate-term bond index fund is a truly superior performer”.

I owned that fund along with the Long Term Bond Index Fund.Then last year Vanguard developed a financial plan for me in which they recommended that I sell those two funds and purchase the Total Bond Market Index Fund.I did just that and now I am concerned that I made a mistake and should have at least kept the Intermediate fund. I realize you are comparing that fund to Muni Bonds and Gov’t Bonds but I am wondering how you feel about the Total Bond Market Index Fund vs.Intermediate. Would it make sense to hold both? I also own the European Index Fund and it has done very well and I am considering buying the Total International Stock Index Fund and also keeping the European Fund. Again,does it make sense to hold both? Does it ever make sense to hold a part of a total index fund and still hold the total fund.

As you can see I am confused so anything you can do to shed some light on all of this would REALLY be appreciated.

I look forward to hearing from you,
John D

Hi, John,

Thanks for asking about our bond funds. I like the (taxable) IT bond index fund because it provides more stability than the LT index fund, and more income than the ST index fund.  The Total Bond Market Index Fund is fine, but I vaguely wonder about a bond fund that has 35% of its portfolio in non-bonds (i.e., GNMA securities, with their risk of being prepaid early,  when interest rates tumble).

That said, TBMF happens to have a maturity profile that is intermediate-term on balance, and so differs from IT largely in its holdings of GMNAs and Treasurys. Their ten-year records are similar, based on the tabulation I’m sending separately (IT 6.49%, TBM 5.96%, which included a single year–2002–in which we sort of forgot to stick to index principles, costing 2.00%, or about 0.20% per year.  I’m assured by management that such an aberration will not recur.)

As it happens your previous 50LT/50IT strategy was a winning one, as the tabulation shows.  Of course we have no idea which of the above strategies will work best in the coming ten years, but it’s comforting to realize that the results of all six of those shown are almost certain to differ only in degree.

There’s no particular reason NOT to hold two overlapping index funds.  In your case, adding a similar investment in Total International to your present European would simply lower your European exposure from 100% to about 80% of your Intl holdings.  Not much difference, for Eur is about 60% of Intl.

I don’t know nearly enough about your assets and goals to advise you, but I hope this note helps clarify the issues.  Perhaps your Vanguard adviser can explain the reasoning behind your allocations, and discuss possible changes.

Jack Bogle

* * * * * * *

Experiment and get the ideas down. Please offer suggestions to improve this site.