This guide was written in response to the WordPress wp-login.php brute force attack of April 2013.
Password protect WordPress loginsUsing the steps below, I’ll show you how to create password protection for your /wp-admin directory. We’ll also copy those rules over to protect your wp-login.php script to keep WordPress as safe as possible.
If you get a redirect loop, make sure you have these ErrorDocument tags in your .htaccess file:
ErrorDocument 401 “Denied” ErrorDocument 403 “Denied”
Please also make sure to allow /wp-admin/admin-ajax.php requests without password protection.
- Under the Files section, click on Directory Privacy.
- Click the Settings button.
- In the pop-up box, select your domain in the drop-down menu labelled Document Root, then click Save Changes
- Click on the text, not the folder icon, for your wp-admin directory.
- Check Password protect this directory, give it a name, then click Save.
- Now click on Go Back.
- Under the Create User section, input a user name and then click on Password Generator.
- In the pop-up mini-window copy the given password, and then check I have copied this password in a safe place. Then click Use Password.
- Now click on Save.
- Click on Go Back.
- Try to access your /wp-admin directory. Your browser will prompt you for the password you just created. Type in your username / password, and click Log In
- Your normal WordPress admin login page should now display.
- Now go back to cPanel. Under the Files section, click on File Manager.
- Click the Settings button.
- Then select the Document Root for your domain, and check Show Hidden Files (dotfiles). Finally, click Save.
- From the left-hand directory listing, expand public_html. Click on wp-admin, then right-click on your .htaccess file. Then click on Code Edit For the encoding pop-up, click on Edit again to bypass that.
Copy all the code in the .htaccess file.
While you still have the /wp-admin/.htaccess file open, also go ahead and add the code in red:
ErrorDocument 401 “Denied” ErrorDocument 403 “Denied” # Allow plugin access to admin-ajax.php around password protection
Order allow,deny Allow from all Satisfy any
You may encounter a re-direct loop at this point. If so, please ensure you’ve created the error documents mentioned earlier.
Now make sure to save the /wp-admin/.htaccess file with the added code in it. Because on the next step you’ll just be editing the /public_html/.htaccess file.
From the left-hand directory listing, click on public_html. Right-click on your .htaccess file, then click on Edit.
<li style="clear: both;"><a href="/support/wp-content/uploads/2013/04/cpanel_file-manager_cPanel_file_manager_code_edit_public_html_htaccess.jpg" rel="lightbox-0"><img alt="click on public_html and code edit htaccess file" class="std_ss alignright size-full wp-image-11688" height="816" src="https://www.inmotionhosting.com/support/wp-content/uploads/2013/04/cpanel_file-manager_cPanel_file_manager_code_edit_public_html_htaccess.jpg" style="width: 160px; float: right; margin-left: 10px; position: relative; bottom: 15px;" width="777"></a>
You should now have the /wp-admin/.htaccess file that password protects the /wp-admin directory. You then copied that same password protection over to just your main .htaccess file, so that it can also password protect your wp-login.php script directly as well.
/public_html/.htaccess< p class=”cli” style=”width: 275px; float: left; white-space: nowrap; overflow: auto;”>ErrorDocument 401 “Denied” ErrorDocument 403 “Denied”
Allow plugin access to admin-ajax.php around password protection
You should now know how to requre a username and password before an attempt to directly login to WordPress is even allowed. This will help to protect your WordPress website from unauthroized login attempts.