Additional menu

Crunchify

Largest free Technical and Blogging resource site for Beginner. We help clients transform their great ideas into reality!

Crunchify   WordPress Optimization   How to Secure WordPress Login Page (wp-admin) with additional Strong P ...

How to Secure WordPress Login Page (wp-admin) with additional Strong Password (Pre-Login Authentication)

Updated on by App  

How to password protect wordpress login and admin page?

Securing a WordPress site is one of the essential part and eventually the key to success. You don’t want your site to be hacked or reached to someone else’s hand.

WordPress powers now almost 27% of the world and majority of self hosted blogs hosted with Hosting provider’s cPanel account.

Bluehost, Hostgator and Inmotion hosting are the top 3 and very popular hosting companies out there for WordPress. We also started with Bluehost long time back and now have semi dedicated hosting service from Squidix.

In this tutorial we will go over how you could secure your WordPress Login page. We will add one more additional password to your login page. Even before login page loads, user has to enter additional password to see login page.

Let’s get started on:

How to protect WP-ADMIN URL with .htaccess? How to avoid WordPress Brute Force Attack? Prevent Brute Force Attacks on WordPress Login page.

1. Login to cPanel

Once you login to your cPanel account, go to Files section and click on File Manager.

2. Enable Hidden Files

Clicking on File Manager will open new window. Click on Settings button on Top-Right corner. Click on Show Hidden Files (dotfiles) checkmark.

You will be able to see all .dot files now.

3. Create .wpadmin file

Click on +File link on Top-Left corner. Provide new file name .wpadmin and click on Create New File button.

This will create file under /home/<username>/.wpadmin location.

4. Create secure username and password

  • Go to http://www.htaccesstools.com/htpasswd-generator/ link.
  • Enter Username and Password

  • Click on Create .htpasswd file button
  • You will see username and password combination like this: crunchify:$apr1$h8xkWbnp$21u14Jpd3s/VSfD0.6LOA.

5. Edit .wpadmin file

  • Go to File Manager
  • Select file .wpadmin
  • Click on Edit button from top
  • Enter above username and password combination into your .wpadmin file
  • Save file

6. Create file .htaccess under Home directory

At the same level as .wpadmin create one more file .htaccess and put below content into it. File should be created at /home/<username>/.htaccess location.

ErrorDocument 401 "Sorry. Unauthorized Access. You are not allowed to access /wp-admin/ page."
ErrorDocument 403 "Forbidden"
<FilesMatch "wp-login.php">
AuthName "Authorized Only"
AuthType Basic
AuthUserFile /home/username/.wpadmin
require valid-user
</FilesMatch>

Make sure to change username with your cPanel Username. This .htaccess file is different than your blog’s root .htaccess file.

And that’s it.

After all above steps, just visit your site’s wp-admin URL and verify: http://example.com/wp-admin/.

You need to enter a username & password which you entered in above step-4. It’s different than your WordPress user’s username & password combination.

If you liked this article, then please share it on social media. Have a question or suggestion? Please leave a comment to start the discussion.

Suggested Articles...

  1. How to SSH-Login to your Shared Hosting Account using ‘SSH Access’ Utility in cPanel?
  2. How to Start Your First Self-Hosted WordPress Blog? New to WordPress? Get Your Domain and Beginner Tips
  3. Cloudways: Nextgen Managed WordPress Cloud Hosting Service Review and User Guide
  4. How to Install SSL Certificate on cPanel for your WordPress Blog – Generate CSR and CRT
  5. Java Cookies: How to do Java Servlet Session Management using Cookies
  6. How to easily change WordPress Login page Logo and URL?

Reader Interactions

  6 Comments...

  2. Gaius says

    Hi App Shah, my hosting provider uses his own Control Panel design, which does not contain a file upload function, so I am creating my files with a text editor and then upload them by FTP.
    Despite trying different locations for the two files and each time altering the file paths within the .htaccess file accordingly, I have not been able to provide the extra layer of security described in your article. The only time the “Authorized Only” window popped up was when I placed both .htaccess und .wpadmin files directly in the folder into which WordPress has been installed. After having entered my username and password, this resulted not in the WordPress Login appearing but rather in an Error 500, since it is, of course, bad security practice and not permitted by my hosting provider.
    My directory structure as visible on the FTP client is: hosting-package/html/domain-directory/wordpress-directory.
    I assumed that I should place the .htaccess and .wpadmin files in the domain-directory and have used AuthUserFile /domain-directory/.wpadmin. This did not work, and also changing to FilesMatch “/wordpress-directory/wp.login.php” was in vain.
    Then I placed the two files in the next higher levels /html and /hosting-package, each time editing the file paths accordingly, without success.
    Finally I tried placing the .htaccess file in /html and the .wpadmin file in /domain-directory, with and without specifying the wordpress-directory in FilesMatch.
    So I have tried every possible location for the two files, each without success.
    Using my directory structure ‘hosting-package/html/domain-directory/wordpress-directory’, could you instruct me on where to place the two files and which paths to use for FilesMatch and AuthUserFile, please?
    Cheers, Gaius

  3. Anna R Grow says

    Great share, thank for sharing such informative blog. It is more useful to my work. I really thankful to you. You can do it a great job, well done. I can see that you can do a hard work for the presentation of this blog. Well done. We are also wait for yours others presentations.