Pixabay - Brute Force - soldiers

Bulletproof Your Website: Enhancing WordPress Security with File System Protection for Login

Your website is a huge part of your identity. When it comes to protecting your identity, is there ever enough security? Well, it depends.

This article is going to explain how to add a host hardening layer of protection by password protecting the WordPress login script, the “wp-login.php” file — all for free.

To better understand the task at hand, “wp-login.php” is a special login script associated with logging into WordPress. A brute force “password knowledge” attack is going to start by navigating to “www.yourdomain.com/wp-login.php”. Once there, the attacker will have the option of logging directly into your WordPress host.

As with any lock, the goal here is to make it just a little more difficult for the attacker. In this case, we’ll password protect the WordPress php login script itself. In this way, the attacker will have to circumvent the file system’s password protection before even being presented the opportunity of circumventing wp-login. It is just yet another step to reduce the number of driveby attacks.

Here are the steps to wrapping wp-login.php with file system protection:

1. Update .htpasswd file

The .htpasswd file is the password repository. For those familiar with Unix based systems, it is similar in structure to the old school /etc/passwd file, with each line affiliated with a single user. Here’s the process to create or update the .htpasswd file.

a. Identify base location for .htpasswd file

This is a rather simple but vital step. You can use a tool to identify the .htaccess base location. Place the following code in a php file (such as “path.php“) in the directory structure wherever .htaccess should be placed.

$dir = dirname(__FILE__); # NOTE double underscores on either side of FILE
echo "<p>Path to this directory: " . $dir . "</p>";
echo "<p>Path to .htpasswd file: " . $dir . "/.htpasswd" . "</p>";

Then execute the php code from a web browser like Chrome:


The output will resemble

Path to this directory: /home/<sitename>/public_html
Path to .htpasswd file: /home/<sitename>/public_html/.htpasswd

b. Create .htpasswd file

There are many options available on the internet or even downloadable applications. You might need to google “htpasswd generator”. Here is one option: http://www.htaccesstools.com/htpasswd-generator/

Create at least one username and password pair. I’ve used “special-username” as my login name. The file is going to look something like this:


c. Upload .htpasswd file appropriately

Upload or create the file in the .htaccess folder.

2. Update .htaccess file

The second step is to update .htaccess to leverage .htpasswd when accessing “wp-login.php” file.

Add the following code to the root .htaccess file. Be sure to:

  • Change “special-username” to your special user name, and
  • Change the “AuthUserFile” reference to the appropriate .htpasswd directory.
# BEGIN: Protect wp-login
<Files wp-login.php>
AuthUserFile /home/marksatterfield/public_html/.htpasswd
AuthName "Please enter your username & password exactly like that"
AuthType Basic
require user special-username

ErrorDocument 401 default
# END: Protect wp-login

3. Test & common problems

Finally, test the configuration more than once before closing up shop and logging out. Use an Incognito browser, make sure only wp-login is protected.

If anything goes wrong, just comment out or remove the changes in .htaccess, and try again.

Common problems include:

  • Not matching “username” between htpasswd and htaccess. Remember to use the same username.
  • Incorrect AuthUserFile. Be certain that the AuthUserFile reference actually points to htpasswd file.