I want to password protect my wp-admin folder for added security. How should I do that?

From Wordfence Documentation
Jump to: navigation, search

Yes, you can but you need to set up the .htaccess file correctly. You can’t simply block access to everything in /wp-admin/ because the directory contains your AJAX handler. The AJAX handler is what allows users on your website to perform application functions without a full page reload occurring. E.g. when you click a button and see a rotating “loading” icon, that is usually an AJAX call. If you simply block the whole of /wp-admin/ with a password, you will break any plugin or theme that uses AJAX for users who are not logged in.

To work around this, you can whitelist your ajax handler as follows. Your .htaccess file should look something like this:

AuthUserFile /path/to/your/htpasswd
AuthType basic
AuthName "Restricted Resource"
require valid-user

# This is the whitelisting of the ajax handler
<Files admin-ajax.php>
    Order allow,deny
    Allow from all
    Satisfy any