In this guide I will walk you through limiting access to the /wp-admin directory, and the wp-login.php script, which will lock down and password protect your WordPress website from invalid login attempts.

If you haven't already, I'd suggest checking out my article about the WordPress brute force attack that has recently been going on that prompted me to write this article.

Password Protecting the WordPress login:

Using the steps below, I'll show you how to create password protection for your /wp-admin directory, as well as how to copy those rules over to also protect your wp-login.php script.

Please note that it's been reported to us in certain cases following these steps will result in a re-direct loop. If you're having that issue, please ensure you have the following two entries at the top of both .htaccess files:

ErrorDocument 401 "Denied"
ErrorDocument 403 "Denied"

  1. Login to the cPanel.
  2. Under the Security section, click on Password Protect Directories.
    This is an image of the Password Protect directory button.
  3. Then, choose the Document Root for your domain, and click Go. Now, click on your wp-admin directory.
    clicking-wp-admin
  4. Check Password protect this directory, give it a name, then click Save.
    recording your settings for directory protection
    Now, click on Go Back.
  5. Click the Password Generator button,then click the Generate Password button a few times, and copy your password.
    Check I have copied this password in a safe place.
    Then click Use Password.
  6. Now type in a Username, then click on Add/modify authorized user.
    creating a new user for password protected directory
  7. Try to access your /wp-admin directory.
    You'll be prompted for the username/password you just created.
    password-request-for-login
    Type them in, and click Log In. Your normal WordPress admin login page should now be displayed.
  8. Now go back to cPanel.
    Under the Files section, click on File Manager.
    Select the Document Root for your domain.
    Check Show Hidden Files (dotfiles), then click Go.
    accessing the file manager
  9. From the left-hand directory listing, expand public_html.
    Click on wp-admin, then right-click on your .htaccess file.
    Then click on Edit
    For the encoding pop-up, simply click on Edit again to bypass that.
  10. Copy all of the code in the .htaccess file.
  11. From the left-hand directory listing, click on public_html.
    Right-click on your .htaccess file, then click on Edit.
  12. Now paste the .htaccess code you copied, in-between some <FilesMatch> tags, so that it ends up looking like this:

    <FilesMatch "wp-login.php">
    AuthType Basic
    AuthName "Secure Area"
    AuthUserFile "/home/example/.htpasswds/public_html/wp-admin/passwd"
    require valid-user
    </FilesMatch>    
        

    Then click on Save Changes up at the top-right. Now if someone tries to directly login via wp-login.php they will be prompted for a valid user as well.


    authentication required to access wp-login.php
  13. When invalid credentials are entered in, the user will get an Authorization Required error, and not even be able to attempt to login to your WordPress admin directly.

Congratulations, now you know how to protect your WordPress website from unauthorized login attempts, by requiring a username and password before an attempt to directly login to WordPress is even allowed.

Did you find this article helpful?

We value your feedback!

Why was this article not helpful? (Check all that apply)
The article is too difficult or too technical to follow.
There is a step or detail missing from the instructions.
The information is incorrect or out-of-date.
It does not resolve the question/problem I have.
How did you find this article?
Please tell us how we can improve our Help Center:
Email Address
Optional, but our team may contact you for more information.
Did you find this article helpful?

Post a Comment

Name:
Email Address:
Comment:
Are you a bot?
Submit

Please note: Your name and comment will be displayed, but we will not show your email address.

Wordpress Security

Related Questions

Here are a few questions related to this article that our customers have asked:
Ooops! It looks like there are no questions about this page.
Would you like to ask a question about this page? If so, click the button below!

Help Center Search

Current Customers

Email: support@WebHostingHub.com Ticket: Submit a Support Ticket
Call: 877-595-4HUB (4482)
757-416-6627 (Intl.)
Chat: Click To Chat Now

Ask the Community

Get help with your questions from our community of like-minded hosting users and Web Hosting Hub Staff.

Not a Customer?

Get web hosting from a company that is here to help.