Protect WordPress wp-admin / wp-login.php server wide

With WordPress, the wp-login.php and as a result wp-admin pages are always under attack. To protect the backend of WordPress using an unique username (dont use admin or other simple names) and a strong password of course is the first line of defense. Next well … keeping wordpress up to date, then well…. plugins to add in many related security items (but adds overhead), then well… moving wp-config.php. OK OK so there are many things to secure the site. This is for a simple way to protect the wp-admin and wp-login.php page from basic bot attacks.

This method will display a basic http auth page when access wp-admin or wp-login.php. This greatly cuts down on server resource usage and will greatly stop most all malicious bot activity trying to brute force login. This can be used server wide in an include to protect many sites, or used for just 1 site. (But if you want it for just 1 site, if you are using a control panel most likely it has some soft of built in tool to do this for you)

In an Include file for apache add:

#Protect wp-login

<Files wp-login.php>

AuthType basic
AuthName “Human Check – U: example P: examplepass”
AuthBasicProvider file
AuthUserFile /home/.htpasswd
Require valid-user

errordocument 401 default
errordocument 403

default #End protect wp-login.php

This is a basic .htpasswd setup. The things to change would be where the AuthUserFile is located if you do not want to place it at /home/htpasswd . This should not be in the document root of the site.

Then the .htpasswd file needs to be generated.

On a cPanel based server:

ea3: /usr/local/apache/bin/htpasswd -c /path/to/.htpasswd $USERNAME ea4: /usr/bin/htpasswd -c /path/to/.htpasswd $USERNAME

For other server types you just need to find the path to the htpasswd binary if it is not in one of those locations. This will prompt for a password after the user is given. If you need to add more usernames:

path/to/htpasswd /path/to/.htpasswd $USERNAME

Multiple people could share the same login for this, this way that aspect is simple to remember, but bots will not have much impact. This does not change the actual wp-admin or wp-login.php aspects though. After the first login a user will still have the normal login screen and have to provide a normal valid wordpress user to get in.

Leave a Reply

Your email address will not be published. Required fields are marked *