In this guide I will walk you through limiting access to the /wp-admin directory, and the wp-login.php script, which will lock down and password protect your WordPress website from invalid login attempts.
If you haven't already, I'd suggest checking out my article about the WordPress brute force attack that has recently been going on that prompted me to write this article.
Password Protecting the WordPress login:
Using the steps below, I'll show you how to create password protection for your /wp-admin directory, as well as how to copy those rules over to also protect your wp-login.php script.
Please note that it's been reported to us in certain cases following these steps will result in a re-direct loop. If you're having that issue, please ensure you have the following two entries at the top of both .htaccess files:
ErrorDocument 401 "Denied"
ErrorDocument 403 "Denied"
- Login to the cPanel.
- Under the Security section, click on Password Protect Directories.
- Then, choose the Document Root for your domain, and click Go. Now, click on your wp-admin directory.
- Check Password protect this directory, give it a name, then click Save.
Now, click on Go Back.
- Click the Password Generator button,then click the Generate Password button a few times, and copy your password.
Check I have copied this password in a safe place.
Then click Use Password.
- Now type in a Username, then click on Add/modify authorized user.
- Try to access your /wp-admin directory.
You'll be prompted for the username/password you just created.
Type them in, and click Log In. Your normal WordPress admin login page should now be displayed.
- Now go back to cPanel.
Under the Files section, click on File Manager.
Select the Document Root for your domain.
Check Show Hidden Files (dotfiles), then click Go.
- From the left-hand directory listing, expand public_html.
Click on wp-admin, then right-click on your .htaccess file.
Then click on Edit
For the encoding pop-up, simply click on Edit again to bypass that.
- Copy all of the code in the .htaccess file.
- From the left-hand directory listing, click on public_html.
Right-click on your .htaccess file, then click on Edit.
- Now paste the .htaccess code you copied, in-between some <FilesMatch> tags, so that it ends up looking like this:
AuthName "Secure Area"
Then click on Save Changes up at the top-right. Now if someone tries to directly login via wp-login.php they will be prompted for a valid user as well.
- When invalid credentials are entered in, the user will get an Authorization Required error, and not even be able to attempt to login to your WordPress admin directly.
Congratulations, now you know how to protect your WordPress website from unauthorized login attempts, by requiring a username and password before an attempt to directly login to WordPress is even allowed.