Using the steps below, I'll show you how to create password protection for your /wp-admin directory. We'll also copy those rules over to protect your wp-login.php script to keep WordPress as safe as possible.
Step 1: Securing wp-admin Directory
1) Login to your cPanel
2) Under the Security section, click on Password Protect Directories.
3) Select the Document Root for your domain, then click Go.
4) Click on your wp-admin directory.
5) Check Password protect this directory, give it a name, then click Save.
6) Now click on Go Back.
7) Click on Password Generator.
8) Click on Generate Password a few times, and copy your password.
9) Check I have copied this password in a safe place.
10) Then click Use Password.
11) Now type in a Username, then click on Add/modify authorized user.
12) Try to access your /wp-admin directory.
Your browser will prompt you for the password you just created.
Type in your username / password, and click Log In
13) Your normal WordPress admin login page should now display.
14) If You don't get your Normal Wordpress Login Page you need to add this Code in your .htaccess file
ErrorDocument 401 "Denied"
ErrorDocument 403 "Denied"
To Edit your .htaccess file:
1) Go to cPanel
2) Under the Files section, click on File Manager.
3) Select the Document Root for your domain.
4) Check Show Hidden Files (dotfiles), then click Go.
5) Spot the .htaccess file in the File Manager
6) Then click on Edit
7) For the encoding pop-up, click on Edit again to bypass that.
8) Add the Require Code
9) Hit Save
Now try hitting the wp-admin page check if you see the Login Now.
Step 2: Securing wp-login.php Page
1) Go to cPanel
2) Under the Files section, click on File Manager.
3) Select the Document Root for your domain.
4) Check Show Hidden Files (dotfiles), then click Go.
5) From the left-hand directory listing, expand public_html.
6) Click on wp-admin, then right-click on your .htaccess file.
7) Then click on Edit
8) For the encoding pop-up, click on Edit again to bypass that.
9) Copy all the code in the .htaccess file.
10) While you still have the /wp-admin/.htaccess file open, also go ahead and add the code in red:
ErrorDocument 401 "Denied"
ErrorDocument 403 "Denied"
# Allow plugin access to admin-ajax.php around password protection
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>
AuthType Basic
AuthName "Secure Area"
AuthUserFile "/home/example/.htpasswds/public_html/wp-admin/passwd"
require valid-user
Note: Now make sure to save the /wp-admin/.htaccess file with the added code in it. Because on the next step you'll just be editing the /public_html/.htaccess file.
11) From the left-hand directory listing, click on public_html.
12) Right-click on your .htaccess file, then click on Edit.
13)Now paste the .htaccess code you copied (from wp-admin), in-between some <FilesMatch> tags, so that it ends up looking like this:
ErrorDocument 401 "Denied"
ErrorDocument 403 "Denied"
<FilesMatch "wp-login.php">
AuthType Basic
AuthName "Secure Area"
AuthUserFile "/home/example/.htpasswds/public_html/wp-admin/passwd"
require valid-user
</FilesMatch>
14)Then click on Save Changes up at the top-right.
Final Code Review:
/public_html/wp-admin/.htaccess
ErrorDocument 401 "Denied"
ErrorDocument 403 "Denied"
# Allow plugin access to admin-ajax.php around password protection
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</files>
AuthType Basic
AuthName "Secure Area"
AuthUserFile "/home/example/.htpasswds/public_html/wp-admin/passwd"
require valid-user
/public_html/.htaccess
ErrorDocument 401 "Denied"
ErrorDocument 403 "Denied"
<FilesMatch "wp-login.php">
AuthType Basic
AuthName "Secure Area"
AuthUserFile "/home/example/.htpasswds/public_html/wp-admin/passwd"
require valid-user </FilesMatch>
