Your website is a huge part of your identity. When it comes to protecting your identity, is there ever enough security? Well, it depends.
This article is going to explain how to add a host hardening layer of protection by password protecting the WordPress login script, the “wp-login.php” file — all for free.
To better understand the task at hand, “wp-login.php” is a special login script associated with logging into WordPress. A brute force “password knowledge” attack is going to start by navigating to “www.yourdomain.com/wp-login.php”. Once there, the attacker will have the option of logging directly into your WordPress host.
As with any lock, the goal here is to make it just a little more difficult for the attacker. In this case, we’ll password protect the WordPress php login script itself. In this way, the attacker will have to circumvent the file system’s password protection before even being presented the opportunity of circumventing wp-login. It is just yet another step to reduce the number of driveby attacks.
Here are the steps to wrapping wp-login.php with file system protection:
1. Update .htpasswd file
The .htpasswd file is the password repository. For those familiar with Unix based systems, it is similar in structure to the old school /etc/passwd file, with each line affiliated with a single user. Here’s the process to update the .htpasswd file.
a. Create .htpasswd file
There are many options available on the internet or even downloadable applications. Here is one option: http://www.htaccesstools.com/htpasswd-generator/
Create at least one username and password pair. The file is going to look something like this:
b. Identify base location for .htpasswd file
This is a rather simple but vital step. You can use this tool to identify base location for .htpasswd: http://www.htaccesstools.com/articles/full-path-to-file-using-php/
The .htpasswd Full Path is going to resemble
Full path to a .htpasswd file in this dir: /home/mywww/public_html/.htpasswd
c. Upload .htpasswd file appropriately
Once the .htpasswd file has been generated and the target location has been identified, upload .htpasswd file to that directory. An appropriate location is the root directory, for example:
2. Update .htaccess file
The second step is to update .htaccess to leverage .htpasswd when accessing “wp-login.php” file.
Add the following code to the root .htaccess file. Be sure to change the “user” to your “special-user-name”, and change the “AuthUserFile” reference to identify .
# Protect wp-login <Files wp-login.php> AuthUserFile /home/mywww/public_html/.htpasswd AuthName "Please enter your username & password exactly like that" AuthType Basic require user special-user-name </Files> ErrorDocument 401 default
3. Test wp-login
Finally, test the configuration more than once before closing up shop and logging out. Use an Incognito browser, make sure only wp-login is protected.
If anything goes wrong, just comment out the changes in .htaccess, and try again.
- Password Protect wp-login.php,https://codex.wordpress.org/Brute_Force_Attacks#Password_Protect_wp-login.php
- How to Password Protect Your WordPress Admin (wp-admin) Directory,https://www.wpbeginner.com/wp-tutorials/how-to-password-protect-your-wordpress-admin-wp-admin-directory/
If you have any questions or comments on this article please leave me a note by clicking here.