How to protect wp-login.php using .htaccess and .htpasswd?

Bots attacking wp-login.php

If you own or maintain a WordPress based web site you might or might not be aware that the wp-login.php page in your root directory, and the wp-admin directory are under constant attacks by malicious bots. This tutorial will show you how to password protect the wp-login.php file through the use of .htaccess and .htpasswd.

A quick side note before I continue – to improve your website’s security create a new administrator account, a non-standard user name. Once that is done, delete the admin account. WordPress will automatically resign all posts and pages to any other user of your choosing.

For this primer we will assume that your WordPress installation is in the root directory of your website. With most shared web hosting companies the path to your account’s web directory will be something similar to /home/client_account_id/public_html. Where public_html is the web root directory. To view the exact path SSH into your hosted account and executing pwd, short for print working directory.

Creating .htpasswd

We first need to create the .htpasswd file. Its location will be reference in the .htaccess file. The .htpasswd file contains user names and associated passwords, e.g. blogauthor:$apr1$3nrIFoap$ALevsl/jGukCi7jtDtb/c.. These will be used to authenticate when trying to access wp-login.php. Or the wp-admin directory, which will redirect you to wp-login.php if you do not already have an established user session. Hopefully you have SSH access to your hosting account, alternatively you can create the file on your Mac and then upload it. For last resort most commercial shared hosting accounts come with some version of a control panel which will allow you to create a password file. Or you can also use one of the many web based htpasswd tools.

To create a new .htpasswd file for user name blogauthor executing the following command in the terminal – htpasswd -c .htpasswd blogauthor. Htpasswd is a build-in *nix utility. If there is already an existing .htpasswd file and you just want to add a new user to the file then simply omit the -c directive, e.g. htpasswd .htpasswd blogeditor.

If you are able to store the .htpasswd file outside your web root directory then by all means keep the name, but if you have to store the file into a web accessible directory, then it should be named something different. This is done to increase security by preventing someone from trying directly to access the file. The file name and its location will be referenced in the .htaccess file, so the name does not exactly matter.

Creating .htaccess

The .htaccess file can come very handy when trying to control various elements of a visitor’s experience for a specific areas of a website, or when rendering a page’s content for a search engine.

To create a .htaccess file authenticate with the hosting server via SSH. Navigate to the directory which you want to protect, or in this case the one which serves the wp-login.php file. For this tutorial’s environment that directory is the root web directory – public_html.

Use Vi to create .htaccess by executing the following command – vi .htaccess. To enter edit mode simply press asterisks(8)+i. Now simply copy and past the text below. Once you have pasted the text press Control+C to exit edit mode. To finalize the edit you have to write your changes to the file. To do that type :wq+Return. The colon switches modes in Vi to where you can enter command directed to Vi.

# Stop bots from knocking on wp-login.php
<files wp-login.php>
  AuthName “Login Required"
  AuthType Basic
  AuthUserFile /home/client_account_id/.htpasswd
  require valid-user

The files directive instructs Apache to execute the encapsulated instructions only when someone is trying to access the wp-login.php file. The AuthName is a message which will be displayed on the login prompt. Most importantly, AuthUserFile points to the location of your .htpasswd file, which we created earlier.

Once you have completed the above steps you should have a layout similar to the one below:


Now, when visiting your WordPress dashboard, you should see a login prompt similar to the one below before being able to access the standard WordPress login page.

Apache login prompt before accessing wp-login.php

5 responses to “How to protect wp-login.php using .htaccess and .htpasswd?”

  1. Thank you for your help, I got it done however, when I am logging out then also I am getting the same login prompt to give my password and then it logs me out, how to avoid that? Please advice.

    • Based on the setup described in the tutorial, i do not get prompted to authenticate with Apache when logging out. I simply get returned to the WordPress login page.

      • Where did you place the authentication code in .htaccess? If .htaccess
        is shared, i.e. it also contains the WordPress config, place the code above the WordPress config settings.
      • Try clearing your browsers cache and cookies to reseat any sessions, then restart the browse and try logging in and logging out again.
      • Do you use any other plugins to manage your WordPress user sessions? – If you do, try to troubleshoot by disabling them all, then start enabling them one by one.
      • Is WordPress installed in a sub-directory to the address from which you are serving the site? Are you doing any special redirects in .htaccess
        ? – This could be interfering.
      • Do you have both wireless and wired connections active on your computer? – I have seen this setup interfere with user sessions and session data.
      • If you are on a wireless connection, are you moving between wireless access points? – If you are, your IP address might be changing and this could potentially interfere, as well. Since Apache might be treating the traffic form the new IP address as a new connection!
      • Do you use privacy browser plug-ins or are you browsing in Privacy/Incognito mode? – This can also interfere.
      • It could also be your Apache config. Though, I really doubt this.

      Once you have authenticated you shouldn’t have to re-authenticate unless something is changing your browser or session state.

      Let me know if you figure out what the issue is.

  2. Not sure why; but i had to do this as described in the codex… why did i need this?:

    If you decide to lock down wp-login.php or wp-admin, you may find you get a 404 or 401 error when accessing those pages. To avoid that, you will need to add the following to your .htaccess file:
    ErrorDocument 401 default

  3. […] What the above lines do is to redirect anyone or anything that tries to login or register at wp-login.php, or access the WordPress dashboard at wp-admin, to itself. Though not the best security solution, it is a solution to deal with both. Unless, that is, someone is specifically targeting your web site and putting some effort in figuring out it structure. If this is your situation, then check out How to protect wp-login.php using .htaccess and .htpasswd? […]

Discover more from Titan Fusion

Subscribe now to keep reading and get access to the full archive.

Continue reading