Password Protect Your Website Admin Area


Over the last few years, our websites have been subject to regular attacks. One of the most common attacks was sending bots to repeatedly attempt to login to our admin area. Some of the attacks were severe enough to slow or crash our website.

We’ve stopped those attacks from happening by creating an additional layer of security for our admin areas.

We keep hackers out of your admin area is to create an additional username and password via a file called htpasswd. That extra password screen prevents the bots from reaching our admin login and has eliminated problems with repeated login attempts.

This tutorial will show you how to do that in three easy steps. Let’s get started.

1) Navigate to Your Admin Area

Use your host’s file manager or FTP to access the admin folder of your website. For example:

  • Joomla’s folder is /administrator
  • WordPress’ folder is /wp-admin

2) Create .htpasswd

In your admin folder, create a .htpasswd file with the following contents:

  • YourSecretUsername:YourSecretPassword

Replace the above username and password with any that you’d like.

3) Create .htaccess

Create a .htaccess file and add the following code to it:

AuthUserFile “/home/username/public_html/administrator/.htpasswd”
AuthName “Restricted Area”
AuthType Basic
require valid-user
RewriteEngine On
RewriteRule \.htpasswd$ – [F,L] 

In the above code, switch /home/username/public_html/administrator to your host’s full path to your admin folder.

4) Additional Step for Drupal

If you’re using Drupal, you’ll need to do an additional step:

  • Install the Global Redirect module to force all URLs to the clean SEF URLs, so that your password protection can’t be by-passed.

That’s it. Now check your admin area and you should be prompted for the additional username and password.



  • Nick Savov

    Nick is the Director of Support at OSTraining and you can find him in almost every area of the site, from answering support requests and account questions to creating tutorials and software.

    View all posts
0 0 votes
Article Rating
Notify of

Newest Most Voted
Inline Feedbacks
View all comments
10 years ago

Admin Tools extension from Akeeba can do these steps instead of you in Joomla (even the free version).

You do not have to edit the files manually, only provide username and password in the administration area.

10 years ago

I understand that creating the .htpasswd and .htaccess files further help with admin security but how does that help with bot attacks that slow or crash the site?

10 years ago

Hi Michael
Good question – I’ve added a note of clarification to the blog.
Repeated attempts against the admin login will strain the site’s database and server.
However, the extra login is just stored in a flat file and so create much less stress.
Plus, bots are very familiar with the WP and Joomla login screens, but likely confused by the .htpasswd login screen.

10 years ago

In drupal, where to place the password file? no place for admin path like joomla

Vinoth Barnabas
Vinoth Barnabas
9 years ago

You can prevent web crawler or bots from targeting specific areas of the domain by declaring it in a file called robots.txt at the root folder.
The content of the robots file will be similar to this
User-agent: *

Disallow: /p/

Disallow: /r/

Disallow: /bin/

Disallow: /includes/

Michael Lavrik
Michael Lavrik
8 years ago

you can use admin tools to get a password setup on the admin area. here is a tutorial [url=]…[/url]

TheTails Labs
TheTails Labs
7 years ago

Thanks! Nice protection but is this the best?

Edirin Michael Aphunu
Edirin Michael Aphunu
6 years ago

i tried it but i cant login in, its always displaying the login page

6 years ago

Hello Nick Savov,
Thanks for your tuto.
I try to set this under Joomla 3.8.5
Unfortunately after setting I get 404 error page

Any help

Would love your thoughts, please comment.x