Password protect WordPress login – wp-login.php

What is password protection?

It’s a smart feature to protect directories against accessing it from unauthorised users. In a cPanel server, we can simply create password protected directories via the control panel (Home >> Security >> Password Protect Directories). If we enable this feature, the system will prompt all users accessing that particular directory with a user name and password window. This provide a second layer of protection to our account on internet. Here I explain, how we can protect the WordPress login page from Brute Force Attack!

Why this topic?

Simply to save your accounts resources 😛 Chance of login attacks are high on WordPress websites as it has a known login page wp-login.php under the installation folder. A DoS to this page can slowdown your website and consume resources. If your WordPress domain is hosted in a CloudLinux platform, you will definitely face the “508 Resource Limit Is Reached” error on your web-page. Here we are going to protect the login page against Brute Force Attack. The steps are simple:

Creating “.htpasswd” file

Yeah, to do password protection first you need to create a .htpasswd file to store the secret authentication details. There are different options available to create this. In a cPanel server, we can create it from the control panel itself. Otherwise you can create this from this online tool >> HTPASSWD GENERATOR << The generated password must be in encrypted form. Then upload the file to your home directory, a best location should be in “/home/user/.htpasswds/public_html/test/wp-admin/“.

File name :: /home/user/.htpasswds/public_html/test/wp-admin/passwd

Then place the code in the WordPress installation directory


Append the code pasted below into the .htaccess file under WP installation directory.

# copy this code to .htaccess,
# To prevent loops

ErrorDocument 401 default

# Protect wp-login
<Files wp-login.php>
AuthUserFile /home/user/.htpasswds/public_html/test/wp-admin/passwd
AuthName "Private access"
AuthType Basic
require user auth

NB : “ErrorDocument 401 default” this line will help you to avoid redirection error.

The above steps will re-prompt the login page:


That’s it!

Also read;

How to reset WordPress admin/users password from Linux command line?
Database Upgrade Required – a detailed view!

Arunlal Ashok

Linux Server Administrator. I'm dealing with Linux servers since 2012. I started this blog to share and discuss my ideas with the world. Check My Profile!! in uPwork (oDesk) and let me know if you need any assistance. Thanks!!

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *