Computer security WordPress

WordPress host hardening: password protect wp-login

This article explains adding an additional password to the wp-login.php file. Every user will have to enter a secondary password before retrieving wp-login.

Your website is a huge part of your identity. When it comes to protecting your identity, is there ever enough security? Well, it depends.

This article is going to explain how to add a host hardening layer of protection by password protecting the WordPress login script, the “wp-login.php” file — all for free.

To better understand the task at hand, “wp-login.php” is a special login script associated with logging into WordPress. A brute force “password knowledge” attack is going to start by navigating to “”. Once there, the attacker will have the option of logging directly into your WordPress host.

As with any lock, the goal here is to make it just a little more difficult for the attacker. In this case, we’ll password protect the WordPress php login script itself. In this way, the attacker will have to circumvent the file system’s password protection before even being presented the opportunity of circumventing wp-login. It is just yet another step to reduce the number of driveby attacks.

Here are the steps to wrapping wp-login.php with file system protection:

1. Update .htpasswd file

The .htpasswd file is the password repository. For those familiar with Unix based systems, it is similar in structure to the old school /etc/passwd file, with each line affiliated with a single user. Here’s the process to update the .htpasswd file.

a. Create .htpasswd file

There are many options available on the internet or even downloadable applications. Here is one option:

Create at least one username and password pair. The file is going to look something like this:


b. Identify base location for .htpasswd file

This is a rather simple but vital step. You can use this tool to identify base location for .htpasswd:

The .htpasswd Full Path is going to resemble

Full path to a .htpasswd file in this dir: /home/mywww/public_html/.htpasswd 

c. Upload .htpasswd file appropriately

Once the .htpasswd file has been generated and the target location has been identified, upload .htpasswd file to that directory. An appropriate location is the root directory, for example:

2. Update .htaccess file

The second step is to update .htaccess to leverage .htpasswd when accessing “wp-login.php” file.

Add the following code to the root .htaccess file. Be sure to change the “user” to your “special-user-name”, and change the “AuthUserFile” reference to identify .

# Protect wp-login
<Files wp-login.php>
AuthUserFile /home/mywww/public_html/.htpasswd
AuthName "Please enter your username & password exactly like that"
AuthType Basic
require user special-user-name

ErrorDocument 401 default

3. Test wp-login

Finally, test the configuration more than once before closing up shop and logging out. Use an Incognito browser, make sure only wp-login is protected.

If anything goes wrong, just comment out the changes in .htaccess, and try again.


Leave a Reply