How to password protect wordpress login and admin page?
Securing a WordPress site is one of the essential part and eventually the key to success. You don’t want your site to be hacked or reached to someone else’s hand.
WordPress powers now almost 27% of the world
and majority of self hosted blogs hosted with Hosting provider’s cPanel account.
Bluehost, Hostgator and Inmotion hosting are the top 3
and very popular hosting companies out there for WordPress. We also started with Bluehost long time back and now have semi dedicated
hosting service from Squidix
.
In this tutorial we will go over how you could secure your WordPress Login page. We will add one more additional password
to your login page. Even before login page loads, user has to enter additional password to see login page.
Let’s get started on:
How to protect WP-ADMIN URL with .htaccess? How to avoid WordPress Brute Force Attack
? Prevent Brute Force Attacks on WordPress Login page.
1. Login to cPanel
Once you login to your cPanel account, go to Files
section and click on File Manager
.
2. Enable Hidden Files
Clicking on File Manager
will open new window. Click on Settings
button on Top-Right
corner. Click on Show Hidden Files (dotfiles)
checkmark.
You will be able to see all .dot files now.
3. Create .wpadmin file
Click on +File
link on Top-Left
corner. Provide new file name .wpadmin
and click on Create New File
button.
This will create file under /home/<username>/.wpadmin location.
4. Create secure username and password
- Go to
http://www.htaccesstools.com/htpasswd-generator/
link. - Enter Username and Password
- Click on
Create .htpasswd file
button - You will see username and password combination like this:
crunchify:$apr1$h8xkWbnp$21u14Jpd3s/VSfD0.6LOA.
5. Edit .wpadmin file
- Go to File Manager
- Select file
.wpadmin
- Click on
Edit
button from top - Enter above username and password
combination
into your .wpadmin file - Save file
6. Create file .htaccess under Home directory
At the same level as .wpadmin
create one more file .htaccess
and put below content into it. File should be created at /home/<username>/.htaccess location.
ErrorDocument 401 "Sorry. Unauthorized Access. You are not allowed to access /wp-admin/ page." ErrorDocument 403 "Forbidden" <FilesMatch "wp-login.php"> AuthName "Authorized Only" AuthType Basic AuthUserFile /home/username/.wpadmin require valid-user </FilesMatch>
Make sure to change
username
with yourcPanel Username
. This .htaccess file is different than your blog’sroot .htaccess
file.
And that’s it.
After all above steps, just visit your site’s wp-admin URL and verify: http://example.com/wp-admin/
.
You need to enter a username & password which you entered in above step-4
. It’s different than your WordPress user’s username & password combination.