How to password protect wordpress login and admin page?

Securing a WordPress site is one of the essential part and eventually the key to success. You don’t want your site to be hacked or reached to someone else’s hand.

WordPress powers now almost 27% of the world and majority of self hosted blogs hosted with Hosting provider’s cPanel account.

Bluehost, Hostgator and Inmotion hosting are the top 3 and very popular hosting companies out there for WordPress. We also started with Bluehost long time back and now have semi dedicated hosting service from Squidix.

In this tutorial we will go over how you could secure your WordPress Login page. We will add one more additional password to your login page. Even before login page loads, user has to enter additional password to see login page.

Let’s get started on:

How to protect WP-ADMIN URL with .htaccess? How to avoid WordPress Brute Force Attack? Prevent Brute Force Attacks on WordPress Login page.

1. Login to cPanel

Once you login to your cPanel account, go to Files section and click on File Manager.

2. Enable Hidden Files

Clicking on File Manager will open new window. Click on Settings button on Top-Right corner. Click on Show Hidden Files (dotfiles) checkmark.

You will be able to see all .dot files now.

3. Create .wpadmin file

Click on +File link on Top-Left corner. Provide new file name .wpadmin and click on Create New File button.

This will create file under /home/<username>/.wpadmin location.

4. Create secure username and password

  • Go to http://www.htaccesstools.com/htpasswd-generator/ link.
  • Enter Username and Password
  • Click on Create .htpasswd file button
  • You will see username and password combination like this: crunchify:$apr1$h8xkWbnp$21u14Jpd3s/VSfD0.6LOA.

5. Edit .wpadmin file

  • Go to File Manager
  • Select file .wpadmin
  • Click on Edit button from top
  • Enter above username and password combination into your .wpadmin file
  • Save file

6. Create file .htaccess under Home directory

At the same level as .wpadmin create one more file  and put below content into it. File should be created at /home/<username>/.htaccess location.

ErrorDocument“Sorry. Unauthorized Access. You are not allowed to access /wp-admin/ page.”

ErrorDocument“Forbidden”

<FilesMatch“wp-login.php”>

AuthName“Authorized Only”

AuthType Basic

AuthUserFile/home/username/.wpadmin

require validuser

</FilesMatch>

Make sure to change username with your cPanel Username. This .htaccess file is different than your blog’s root .htaccess file.

And that’s it.

After all above steps, just visit your site’s wp-admin URL and verify: http://example.com/wp-admin/.

You need to enter a username & password which you entered in above step-4. It’s different than your WordPress user’s username & password combination.

Join the Discussion

Share & leave us some comments on what you think about this topic or if you like to add something.

I want to…

Other Popular Articles…

This content was originally published here.