{"id":2139,"date":"2014-11-11T10:50:44","date_gmt":"2014-11-11T08:50:44","guid":{"rendered":"http:\/\/www.extradrm.com\/?p=2139"},"modified":"2014-11-11T11:09:38","modified_gmt":"2014-11-11T09:09:38","slug":"password-protect-wordpress-logins","status":"publish","type":"post","link":"http:\/\/www.extradrm.com\/?p=2139","title":{"rendered":"Password protect WordPress logins"},"content":{"rendered":"

Using the steps below, I’ll show you how to create password protection for your \/wp-admin directory. We’ll also copy those rules over to protect your wp-login.php script to keep WordPress as safe as possible.<\/p>\n

If you get a redirect loop, make sure you have these ErrorDocument tags in your .htaccess file:<\/p>\n

ErrorDocument 401 “Denied”<\/strong>
\n ErrorDocument 403 “Denied”<\/strong><\/p>\n

Please also make sure to allow \/wp-admin\/admin-ajax.php requests without password protection.<\/p>\n

click on password protect directories<\/p>\n

Under the Security section, click on Password Protect Directories.
\nselect document root click goSelect the Document Root for your domain, then click Go.
\nclick on wp adminClick on your wp-admin directory.
\ncheck password protect name directory click save<\/p>\n

Check Password protect this directory, give it a name, then click Save.
\nclick go backNow click on Go Back.
\nclick on password generator and use passwordClick on Password Generator.<\/strong><\/p>\n

\"click-on-password-generator-and-use-password\"<\/a>
\nClick on Generate Password a few times, and copy your password.
\nCheck I have copied this password in a safe place.
\nThen click Use Password.
\nclick on add authorized userNow type in a Username, then click on Add\/modify authorized user.
\nauthentication required click on log inTry to access your \/wp-admin directory.
\nYour browser will prompt you for the password you just created.
\nType in your username \/ password, and click Log In
\nwordpress admin click on log inYour normal WordPress admin login page should now display.<\/p>\n

You may encounter a re-direct loop at this point. If so, please ensure you’ve created the error documents mentioned earlier.
\nclick on file manager and goNow go back to cPanel.
\nUnder the Files section, click on File Manager.
\nSelect the Document Root for your domain.
\nCheck Show Hidden Files (dotfiles), then click Go.<\/strong><\/p>\n

\"click-on-file-manager-and-go\"<\/a>
\nclick on wp admin and edit htaccess fileFrom the left-hand directory listing, expand public_html.
\nClick on wp-admin, then right-click on your .htaccess file.
\nThen click on Edit
\nFor the encoding pop-up, click on Edit again to bypass that.
\ncopy htaccess text<\/p>\n

Copy all the code in the .htaccess file.<\/p>\n

While you still have the \/wp-admin\/.htaccess file open, also go ahead and add the code before AuthType Basic :<\/p>\n

ErrorDocument 401 \"Denied\"\r\nErrorDocument 403 \"Denied\"\r\n\r\n# Allow plugin access to admin-ajax.php around password protection\r\n<Files admin-ajax.php>\r\nOrder allow,deny\r\nAllow from all\r\nSatisfy any\r\n<\/Files>\r\n\r\nAuthType Basic\r\nAuthName \"Secure Area\"\r\nAuthUserFile \"\/home\/example\/.htpasswds\/public_html\/wp-admin\/passwd\"\r\nrequire valid-user<\/pre>\n
Now make sure to save the \/wp-admin\/.htaccess file with the added code in it. Because on the next step you’ll just be editing the \/public_html\/.htaccess file.
\nclick on public_html and edit htaccess fileFrom the left-hand directory listing, click on public_html.
\nRight-click on your .htaccess file, then click on Edit.
\nsave public_html htaccess file<\/p>\n
Now paste the .htaccess code you copied, in-between some <FilesMatch> tags, so that it ends up looking like this:<\/p>\n
ErrorDocument 401 \"Denied\"\r\nErrorDocument 403 \"Denied\"\r\n\r\n<FilesMatch \"wp-login.php\">\r\nAuthType Basic\r\nAuthName \"Secure Area\"\r\nAuthUserFile \"\/home\/example\/.htpasswds\/public_html\/wp-admin\/passwd\"\r\nrequire valid-user\r\n<\/FilesMatch><\/pre>\n
Then click on Save Changes up at the top-right.<\/p>\n
Code review<\/h2>\n
You should now have the \/wp-admin\/.htaccess file that password protects the \/wp-admin directory. You then copied that same password protection over to just your main .htaccess file, so that it can also password protect your wp-login.php script directly as well.<\/strong><\/p>\n
\/public_html\/wp-admin\/.htaccess<\/p>\n
ErrorDocument 401 \"Denied\"\r\nErrorDocument 403 \"Denied\"\r\n\r\n# Allow plugin access to admin-ajax.php around password protection\r\n<Files admin-ajax.php>\r\nOrder allow,deny\r\nAllow from all\r\nSatisfy any\r\n<\/files>\r\n\r\nAuthType Basic\r\nAuthName \"Secure Area\"\r\nAuthUserFile \"\/home\/example\/.htpasswds\/public_html\/wp-admin\/passwd\"\r\nrequire valid-user<\/pre>\n
\/public_html\/.htaccess<\/p>\n
ErrorDocument 401 \"Denied\"\r\nErrorDocument 403 \"Denied\"\r\n\r\n<FilesMatch \"wp-login.php\">\r\nAuthType Basic\r\nAuthName \"Secure Area\"\r\nAuthUserFile \"\/home\/example\/.htpasswds\/public_html\/wp-admin\/passwd\"\r\nrequire valid-user <\/FilesMatch><\/pre>\n
 <\/p>\n
Step test : Now if someone tries to directly login via wp-login.php they will be prompted for a valid user as well.<\/p>\n
\"wp-login-bad-password-attempt\"<\/a><\/p>\n
When a user enters invalid credentials are, they will get an Authorization Required error. They will then not be able to attempt to login to your WordPress admin directly.<\/p>\n
\"wp-login-bad-password-attempt-blocked\"<\/a><\/p>\n
You should now know how to requre a username and password before an attempt to directly login to WordPress is even allowed. This will help to protect your WordPress website from unauthroized login attempts.<\/p>\n","protected":false},"excerpt":{"rendered":"
Using the steps below, I’ll show you how to create password protection for your \/wp-admin directory. We’ll also copy those rules over to protect your wp-login.php script to keep WordPress as safe as possible....<\/p>\n","protected":false},"author":1,"featured_media":2842,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[31,6],"tags":[],"youtube_video":null,"_links":{"self":[{"href":"http:\/\/www.extradrm.com\/index.php?rest_route=\/wp\/v2\/posts\/2139"}],"collection":[{"href":"http:\/\/www.extradrm.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.extradrm.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.extradrm.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.extradrm.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2139"}],"version-history":[{"count":0,"href":"http:\/\/www.extradrm.com\/index.php?rest_route=\/wp\/v2\/posts\/2139\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/www.extradrm.com\/index.php?rest_route=\/wp\/v2\/media\/2842"}],"wp:attachment":[{"href":"http:\/\/www.extradrm.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2139"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.extradrm.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2139"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.extradrm.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2139"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}