Quick Steps:
- First, create an .htpasswd file.
- Edit .htccess to restrict wp-login access to only username and passwords defined in .htpasswd file.
- Flush your browser cache.
You can utilize .htaccess rules to password protect your wp-login.php file from brute force login attempts. The process will require an additional layer of security (additional username & password) in order to access the WordPress login.
Step 1.
In your cPanel file browser, navigate to the top level “home” directory. You’ll want to create a file called .htpasswd (dot htpasswd). Inside of this file, you will need to put a basic username & password in the format like so: username:password (be sure to put the : between the username & password)
Step 2.
Next, you will want to navigate to your public_html directory, or the directory where your WordPress installation is located. This will be the same directory where your wp-login.php file is located. Locate the file named .htaccess and click Code Edit. If you cannot file the .htaccess file, you will need to click the “Settings” button in the top right corner of the File Manager. Next, select Show Hidden Files and save.
# This will make the .htaccess file visible. You will want to add the lines below to your .htaccess file.
#Protect WP Login ErrorDocument 401 "Unauthorized Access" ErrorDocument 403 "Forbidden" <FilesMatch "wp-login.php"> AuthName "Authorized Access Only" AuthType Basic AuthUserFile /home/.htpasswd require valid-user </FilesMatch>
You can now save your htaccess file with the code shown above. Now, when you browse to your wp-admin or wp-login, you will be prompted for a username & password. Please note, this method is not meant to be a high level of security in regards to the username & password being located in plaint text inside of a file – the purpose of this method is to simply prevent bots & users from being able to directly access the WordPress login form.