This documentation is only valid for older versions of Wordfence. If you are using Wordfence 7 or later, please visit our.
I want to password protect my wp-admin folder for added security. How should I do that?
Yes, you can but you need to set up the .htaccess file correctly. You can’t simply block access to everything in /wp-admin/ because the directory contains your AJAX handler. The AJAX handler is what allows users on your website to perform application functions without a full page reload occurring. E.g. when you click a button and see a rotating “loading” icon, that is usually an AJAX call. If you simply block the whole of /wp-admin/ with a password, you will break any plugin or theme that uses AJAX for users who are not logged in.
To work around this, you can whitelist your ajax handler as follows. Your .htaccess file should look something like this:
AuthUserFile /path/to/your/htpasswd AuthType basic AuthName "Restricted Resource" require valid-user # This is the whitelisting of the ajax handler <Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files>