Password protect WordPress logins

Using the steps below, I’ll show you how to create password protection for your /wp-admin directory. We’ll also copy those rules over to protect your wp-login.php script to keep WordPress as safe as possible.

If you get a redirect loop, make sure you have these ErrorDocument tags in your .htaccess file:

ErrorDocument 401 “Denied”
ErrorDocument 403 “Denied”

Please also make sure to allow /wp-admin/admin-ajax.php requests without password protection.

click on password protect directories

Under the Security section, click on Password Protect Directories.
select document root click goSelect the Document Root for your domain, then click Go.
click on wp adminClick on your wp-admin directory.
check password protect name directory click save

Check Password protect this directory, give it a name, then click Save.
click go backNow click on Go Back.
click on password generator and use passwordClick on Password Generator.

click-on-password-generator-and-use-password
Click on Generate Password a few times, and copy your password.
Check I have copied this password in a safe place.
Then click Use Password.
click on add authorized userNow type in a Username, then click on Add/modify authorized user.
authentication required click on log inTry to access your /wp-admin directory.
Your browser will prompt you for the password you just created.
Type in your username / password, and click Log In
wordpress admin click on log inYour normal WordPress admin login page should now display.

You may encounter a re-direct loop at this point. If so, please ensure you’ve created the error documents mentioned earlier.
click on file manager and goNow go back to cPanel.
Under the Files section, click on File Manager.
Select the Document Root for your domain.
Check Show Hidden Files (dotfiles), then click Go.

click-on-file-manager-and-go
click on wp admin and edit htaccess fileFrom the left-hand directory listing, expand public_html.
Click on wp-admin, then right-click on your .htaccess file.
Then click on Edit
For the encoding pop-up, click on Edit again to bypass that.
copy htaccess text

Copy all the code in the .htaccess file.

While you still have the /wp-admin/.htaccess file open, also go ahead and add the code before AuthType Basic :

ErrorDocument 401 "Denied"
ErrorDocument 403 "Denied"

# Allow plugin access to admin-ajax.php around password protection
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>

AuthType Basic
AuthName "Secure Area"
AuthUserFile "/home/example/.htpasswds/public_html/wp-admin/passwd"
require valid-user

Now make sure to save the /wp-admin/.htaccess file with the added code in it. Because on the next step you’ll just be editing the /public_html/.htaccess file.
click on public_html and edit htaccess fileFrom the left-hand directory listing, click on public_html.
Right-click on your .htaccess file, then click on Edit.
save public_html htaccess file

Now paste the .htaccess code you copied, in-between some <FilesMatch> tags, so that it ends up looking like this:

ErrorDocument 401 "Denied"
ErrorDocument 403 "Denied"

<FilesMatch "wp-login.php">
AuthType Basic
AuthName "Secure Area"
AuthUserFile "/home/example/.htpasswds/public_html/wp-admin/passwd"
require valid-user
</FilesMatch>

Then click on Save Changes up at the top-right.

Code review

You should now have the /wp-admin/.htaccess file that password protects the /wp-admin directory. You then copied that same password protection over to just your main .htaccess file, so that it can also password protect your wp-login.php script directly as well.

/public_html/wp-admin/.htaccess

ErrorDocument 401 "Denied"
ErrorDocument 403 "Denied"

# Allow plugin access to admin-ajax.php around password protection
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</files>

AuthType Basic
AuthName "Secure Area"
AuthUserFile "/home/example/.htpasswds/public_html/wp-admin/passwd"
require valid-user

/public_html/.htaccess

ErrorDocument 401 "Denied"
ErrorDocument 403 "Denied"

<FilesMatch "wp-login.php">
AuthType Basic
AuthName "Secure Area"
AuthUserFile "/home/example/.htpasswds/public_html/wp-admin/passwd"
require valid-user </FilesMatch>

 

Step test : Now if someone tries to directly login via wp-login.php they will be prompted for a valid user as well.

wp-login-bad-password-attempt

When a user enters invalid credentials are, they will get an Authorization Required error. They will then not be able to attempt to login to your WordPress admin directly.

wp-login-bad-password-attempt-blocked

You should now know how to requre a username and password before an attempt to directly login to WordPress is even allowed. This will help to protect your WordPress website from unauthroized login attempts.

extradrmtech

Since 20 years I work on Database Architecture and data migration protocols. I am also a consultant in Web content management solutions. I am an experienced web-developer with over 10 years developing PHP/MySQL, C#, VB.Net applications ranging from simple web sites to extensive web-based business applications. When not writing code, I like to dance salsa and swing and have fun with my little family.

You may also like...