Due to the increase in brute-force attacks, adding an extra layer of security to your WordPress login page is essential. By password-protecting wp-login.php, you can help prevent unauthorized login attempts.
Quick Steps:
- First, create an .htpasswd file.
- Edit .htccess to restrict wp-login access to only username and passwords defined in .htpasswd file.
- Flush your browser cache.
You can utilize .htaccess rules to password protect your wp-login.php file from brute force login attempts. The process will require an additional layer of security (additional username & password) in order to access the WordPress login.
Step 1.
In your cPanel file browser, navigate to the top level “home” directory. You’ll want to create a file called .htpasswd (dot htpasswd). Inside of this file, you will need to put a basic username & password in the format like below: (be sure to put the : between the username & password)
Note: Make sure to create a strong, unique username and password for this additional login layer. These credentials are separate from your regular WordPress login and are only used to access the wp-login.php page. Avoid using the same username and password as your WordPress account to increase security.
username:password
Step 2.
Next, you will want to navigate to your public_html directory, or the directory where your WordPress installation is located. This will be the same directory where your wp-login.php file is located. Locate the file named .htaccess and click Code Edit. If you cannot file the .htaccess file, you will need to click the “Settings” button in the top right corner of the File Manager. Next, select Show Hidden Files and save. This will make the .htaccess file visible.
# You need to add the below lines of code at the end to your current .htaccess file.
#Protect WP Login
ErrorDocument 401 "Unauthorized Access"
ErrorDocument 403 "Forbidden"
<FilesMatch "wp-login.php">
AuthName "Authorized Access Only"
AuthType Basic
AuthUserFile /home/.htpasswd
require valid-user
</FilesMatch>
Replace /home/.htpasswd with the full path to the .htpasswd file on your server. For example, if your username is user123, the line might look like this:
You can now save your htaccess file with the code shown above. Now, when you browse to your wp-admin or wp-login, you will be prompted for a username & password. Please note, this method is not meant to be a high level of security in regards to the username & password being located in plaint text inside of a file – the purpose of this method is to simply prevent bots & users from being able to directly access the WordPress login form.