Password protect WordPress logins

Using the steps below, I'll show you how to create password protection for your /wp-admin directory. We'll also copy those rules over to protect your wp-login.php script to keep WordPress as safe as possible.

Step 1: Securing wp-admin Directory

1)   Login to your cPanel
2)   Under the Security section, click on Password Protect Directories.
3)   Select the Document Root for your domain, then click Go.
4)   Click on your wp-admin directory.
5)   Check Password protect this directory, give it a name, then click Save.
6)   Now click on Go Back.
7)   Click on Password Generator.
8)   Click on Generate Password a few times, and copy your password.
9)   Check I have copied this password in a safe place.
10) Then click Use Password.
11) Now type in a Username, then click on Add/modify authorized user.
12) Try to access your /wp-admin directory.
      Your browser will prompt you for the password you just created.
      Type in your username / password, and click Log In
13) Your normal WordPress admin login page should now display.
14) If You don't get your Normal Wordpress Login Page you need to add this Code in your .htaccess file

ErrorDocument 401 "Denied"
ErrorDocument 403 "Denied"

To Edit your .htaccess file:
1) Go to cPanel
2) Under the Files section, click on File Manager.
3) Select the Document Root for your domain.
4) Check Show Hidden Files (dotfiles), then click Go.
5) Spot the .htaccess file in the File Manager
6) Then click on Edit
7) For the encoding pop-up, click on Edit again to bypass that.

8) Add the Require Code
9) Hit Save

Now try hitting the wp-admin page check if you see the Login Now.



Step 2: Securing wp-login.php Page

1) Go to cPanel
2) Under the Files section, click on File Manager.
3) Select the Document Root for your domain.
4) Check Show Hidden Files (dotfiles), then click Go.

5) From the left-hand directory listing, expand public_html.
6) Click on wp-admin, then right-click on your .htaccess file.
7) Then click on Edit
8) For the encoding pop-up, click on Edit again to bypass that.
9) Copy all the code in the .htaccess file.
10) While you still have the /wp-admin/.htaccess file open, also go ahead and add the code in red:

ErrorDocument 401 "Denied"
ErrorDocument 403 "Denied"

# Allow plugin access to admin-ajax.php around password protection
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>

AuthType Basic
AuthName "Secure Area"
AuthUserFile "/home/example/.htpasswds/public_html/wp-admin/passwd"
require valid-user

Note: Now make sure to save the /wp-admin/.htaccess file with the added code in it. Because on the next step you'll just be editing the /public_html/.htaccess file.

11) From the left-hand directory listing, click on public_html.
12) Right-click on your .htaccess file, then click on Edit.
13)Now paste the .htaccess code you copied (from wp-admin), in-between some <FilesMatch> tags, so that it ends up looking like this:

ErrorDocument 401 "Denied"
ErrorDocument 403 "Denied"

<FilesMatch "wp-login.php">
AuthType Basic
AuthName "Secure Area"
AuthUserFile "/home/example/.htpasswds/public_html/wp-admin/passwd"
require valid-user
</FilesMatch>

14)Then click on Save Changes up at the top-right.

 


Final Code Review:

/public_html/wp-admin/.htaccess

ErrorDocument 401 "Denied"
ErrorDocument 403 "Denied"

# Allow plugin access to admin-ajax.php around password protection
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</files>

AuthType Basic
AuthName "Secure Area"
AuthUserFile "/home/example/.htpasswds/public_html/wp-admin/passwd"
require valid-user

/public_html/.htaccess

ErrorDocument 401 "Denied"
ErrorDocument 403 "Denied"

<FilesMatch "wp-login.php">
AuthType Basic
AuthName "Secure Area"
AuthUserFile "/home/example/.htpasswds/public_html/wp-admin/passwd"
require valid-user </FilesMatch>

  • 1 Users Found This Useful
Was this answer helpful?

Related Articles

Preventing Wordpress Brute Force Attacks

Since users are no longer using Wordpress as simply a blogging solution, there isn't as much...

Optimizing WordPress with Super Cache plugin

WP Super Cache can help optimize your WordPress website. WP Super Cache will enable your website...

Disabling the wp-cron.php in WordPress

WordPress uses a file called wp-cron.php as a virtual cron job, or scheduled task in order to...