Password protect WordPress login – wp-login.php

What is password protection?

It’s a smart feature to protect directories against accessing it from unauthorised users. In a cPanel server, we can simply create password protected directories via the control panel (Home >> Security >> Password Protect Directories). If we enable this feature, the system will prompt all users accessing that particular directory with a user name and password window. This provide a second layer of protection to our account on internet. Here I explain, how we can protect the WordPress login page from Brute Force Attack!

Why this topic?

Simply to save your accounts resources 😛 Chance of login attacks are high on WordPress websites as it has a known login page wp-login.php under the installation folder. A DoS to this page can slowdown your website and consume resources. If your WordPress domain is hosted in a CloudLinux platform, you will definitely face the “508 Resource Limit Is Reached” error on your web-page. Here we are going to protect the login page against Brute Force Attack. The steps are simple:

Creating “.htpasswd” file

Yeah, to do password protection first you need to create a .htpasswd file to store the secret authentication details. There are different options available to create this. In a cPanel server, we can create it from the control panel itself. Otherwise you can create this from this online tool >> HTPASSWD GENERATOR << The generated password must be in encrypted form. Then upload the file to your home directory, a best location should be in “/home/user/.htpasswds/public_html/test/wp-admin/“.

File name :: /home/user/.htpasswds/public_html/test/wp-admin/passwd

Then place the code in the WordPress installation directory

passwodpro1

Append the code pasted below into the .htaccess file under WP installation directory.


# copy this code to .htaccess, CryBit.com
# To prevent loops

ErrorDocument 401 default

# Protect wp-login
<Files wp-login.php>
AuthUserFile /home/user/.htpasswds/public_html/test/wp-admin/passwd
AuthName "Private access"
AuthType Basic
require valid-user
</Files>

NB : “ErrorDocument 401 default” this line will help you to avoid redirection error.

The above steps will re-prompt the login page:

passwodpro2

That’s it!

Also read;

How to reset WordPress admin/users password from Linux command line?
Database Upgrade Required – a detailed view!

Arunlal Ashok

Sr. Linux Server Administrator. I'm managing Linux servers since 2012. I started this blog to share and discuss my ideas. Check My Profile in uPwork (oDesk) and create a job, if you need any administration help. Thanks!!

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *