Please note, this guide is based on Apache (e.g. cPanel) hosting and is designed for advanced users looking to security harden their own websites.
Why additionally password protect the WordPress login area?
When I first started using WordPress, I never had any protection on the login at all. It was only after installing a security plugin a couple of years ago that I realised how many bots were attempting to attack the login screen. One of my websites recorded over 13,000 attempts, with lots of combinations of usernames (mostly “admin”, “administrator”, “server”, “manager”) and passwords being used to try to guess the login details. Unfortunately a few people do have insecure logins – please, please never use an easily guessable username or password!!
The security plugin worked well and blocked any computer that entered more than ten incorrect username/passwords, with their IP Address being blocked for fifteen minutes. However, the frequency of the attacks were increasing.
Then, in April 2013, a large-scale brute force attack was unleashed on WordPress sites, as has been widely reported. This botnet contains thousands of different computers and can attack websites with quite a lot of force. It means login limit plugins are less effective because:
- Lots of different IP addresses are used in the attack, meaning that it’s harder to block an individual IP address.
- It can easily overload WordPress, since every login attempt means WordPress has to go through its routines. In particular, the login limit plugin will need to check the MySQL database on every attempt, so if it’s having to do this several times per second, the server may quickly run out of resources and take the website offline. This is especially true on shared hosting platforms where each website only has a small allocation of resources.
So, my solution would be for webmasters to add a basic layer of protection to the WordPress login and WP-Admin area using the htaccess password method, which is a pretty standard feature of most web hosting accounts. Admittedly, htaccess isn’t the most secure password system, however in this case all it’s doing is protecting your site from automated attacks from bots (or from casual prying eyes from unauthorised users), so it’s doesn’t need to be especially secure or complicated. All this is intended to do is put up another security barrier, on top of the existing WordPress login system.
But isn’t this additional login annoying for your or other admin users? Possibly yes, but it also makes the site more secure. Most browsers also allow you to permanently save a htaccess username/password, plus you can make the username/password fairly simple – it doesn’t need to be very complex. It seems a very small step to me to offer some good protection to your WordPress installation!
Setting up htaccess protection on your WordPress site:
STEP 1: Backup your website!
Whenever editing files on your server, I’d strongly advise taking a backup, just in case you need to roll back any changes! Warning: editing the .htaccess file can take your website offline if not done correctly.
STEP 2: Creating the WP-Admin password
If available to you, use your hosting provider’s control panel to password protect the WP-Admin directory (i.e. public_html/wp-admin). This will allow you to automatically generate the htaccess password file.
In cPanel, you can do this via the “Directory Privacy” facility.
In the /wp-admin/ directory, there should now be a new file generated called “.htaccess”, and in another location a file called “.htpasswd”. On cPanel servers, this “.htpasswd” file is normally located in a folder on the root of the server (not in “public_html”). The .htpasswd file contains an encrypted copy of your password.
If you don’t have the facility to password protect a directory via a cPanel, try an online tool like http://www.htaccesstools.com/htpasswd-generator instead to generate the .htpasswd file and create a .htaccess file using the code sample below.
STEP 3: Editing the .htaccess file
Open the newly-generated .htaccess file in the /wp-admin/ directory in a code or plain text editor (for Windows users, Notepad will do!) and it should look something like the following:
AuthType basic AuthUserFile "/home/account-name/.htpasswds/public_html/wp-admin/.htpasswd" AuthName "MESSAGE TO THE USER" Require valid-user
The file may look a bit different, but it should look roughly like this.
Important- ensure the bits in red are changed to your requirements! Also, when saving the file on your Windows computer before uploading, you might need to save the file as x.htaccess, then rename it on the server to remove anything before the dot!).
AuthUserFile = the location of the .htpasswd file on your server (note this path may change on different servers – if creating this file from scratch, do refer to your hosting documentation to check what paths to use).
AuthName = you can call this anything you want to! The text you enter here will appear in the popup password box in your browser when anyone attempts to access the directory; for example:
Ok, now we need to add two extra blocks of code:
<Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files>
That code above ensures WordPress continues to work normally for visitors.
ErrorDocument 401 /password-error.html
And this code above allows you to create a custom error message for any users that don’t enter the username/password correctly.
So putting it all together, your .htaccess file in the /wp-admin/ directory should look something like this:
AuthType basic AuthUserFile "/home/account-name/.htpasswds/public_html/wp-admin/.htpasswd" AuthName "MESSAGE TO THE USER" Require valid-user
<Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files>
ErrorDocument 401 /password-error.html
STEP 4: Adding protection to the wp-login file
So above we’ve protected the WP-Admin directory, but we still need to protect the wp-login.php file in the /public_html/ folder.
WordPress will have already created a .htaccess file (in public_html), so just open it up and it’ll look something like the following:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
To the bottom of this file, add:
<Files wp-login.php> AuthType Basic AuthUserFile "/home/account-name/.htpasswds/public_html/wp-admin/.htpasswd" AuthName "MESSAGE TO THE USER" Require valid-user </Files>
ErrorDocument 401 /password-error.html
You can copy the details in red from the .htaccess file you created in Step 3.
It’s important that the path to the .htpasswd file is exactly the same path as you created earlier. This means both .htaccess files will share the same password file and therefore not prompt the user twice when logging-in.
STEP 5: Creating a custom error page
In case people enter the wrong username or password, they’ll be directed to the server’s standard Error 401 page (i.e. unauthorised access), which isn’t very user-friendly:
So, instead, upload a custom HTML file called “password-error.html” in your /public_html/ folder. This error page is the file we referred to in the two .htaccess files above. You can style this however you wish, although to make things simple I’d advise not using any images or external files (e.g. CSS or JavaScript files). Simply create a basic, simple HTML file! My one looks like below:
STEP 6: Test!
If you’ve followed the steps above, you should now have successfully password protected your WordPress login. It means your WP-Admin directory is now hidden behind a layer of protection, plus it’ll stop people or bots accessing the WordPress login page.
Mike founded Primary Image in 2010. He specialises in the WordPress website platform and speaks regularly at national web design conferences. Mike became a member (MCIPR) of the Chartered Institute of Public Relations in 2015.