How to protect wp-login.php using .htaccess and .htpasswd?
If you own or maintain a WordPress based website you might or might not be aware that the wp-login.php page in your root directory and the wp-admin directory are under constant attacks by malicious bots. This tutorial will show you how to password protect the wp-login.php file through the use of .htaccess and .htpasswd.
A quick side note before I continue - to improve your website’s security create a new administrator account, a non-standard username. Once that is done, delete the admin account. WordPress will automatically resign all posts and pages to any other user of your choosing.
For this primer, we will assume that your WordPress installation is in the root directory of your website. With most shared web hosting companies the path to your account’s web directory will be something similar to /home/client_account_id/public_html, where public_html is the web root directory. To view the exact path SSH into your hosted account and executing pwd, short for print working directory.
We first need to create the .htpasswd file. Its location will be a reference in the .htaccess file. The .htpasswd file contains user names and associated passwords, e.g. blogauthor:$apr1$3nrIFoap$ALevsl/jGukCi7jtDtb/c.. These will be used to authenticate when trying to access wp-login.php. Or the wp-admin directory, which will redirect you to wp-login.php if you do not already have an established user session. Hopefully you have SSH access to your hosting account, alternatively, you can create the file on your Mac and then upload it. For last resort, most commercial shared hosting accounts come with some version of a control panel which will allow you to create a password file. Or you can also use one of the many web-based htpasswd tools.
To create a new .htpasswd file for user name blogauthor executing the following command in the terminal - htpasswd -c .htpasswd blogauthor. Htpasswd is a built-in *nix utility. If there is already an existing .htpasswd file and you just want to add a new user to the file then simply omit the -c directive, e.g. htpasswd .htpasswd blogeditor.
If you are able to store the .htpasswd file outside of your web root directory then, by all means, keep the name, but if you have to store the file into a web accessible directory, then it should be named something different. This is done to increase security by preventing someone from trying directly to access the file. The file name and its location will be referenced in the .htaccess file, so the name does not exactly matter.
The .htaccess file can come very handy when trying to control various elements of a visitor’s experience for specific areas of a website, or when rendering a page’s content for a search engine.
To create a .htaccess file authenticate with the hosting server via SSH. Navigate to the directory which you want to protect, or in this case the one which serves the wp-login.php file. For this tutorial’s environment that directory is the root web directory - public_html.
Use Vi to create .htaccess by executing the following command - vi .htaccess. To enter edit mode simply press asterisks(8)+i. Now simply copy and paste the text below. Once you have pasted the text press Control+C to exit edit mode. To finalize the edit you have to write your changes to the file. To do that type :wq+Return. The colon switches modes in Vi to where you can enter command directed to Vi.
# Stop bots from knocking on wp-login.php <files wp-login.php> AuthName “Login Required" AuthType Basic AuthUserFile /home/client_account_id/.htpasswd require valid-user </files>
The files directive instructs Apache to execute the encapsulated instructions only when someone is trying to access the wp-login.php file. The AuthName is a message which will be displayed on the login prompt. Most importantly, AuthUserFile points to the location of your .htpasswd file, which we created earlier.
Once you have completed the above steps you should have a layout similar to the one below:
/home/client_account_id/.htpasswd /home/client_account_id/public_html/.htaccess /home/client_account_id/public-html/wp-login.php
Now, when visiting your WordPress dashboard, you should see a login prompt similar to the one below before being able to access the standard WordPress login page.