htaccess protection for WordPress – Protect the file wp-login.php from access

Estimated reading time: 2 minutes

In this article we would like to briefly explain why it makes sense to protect your WordPress installation with the help of an .htaccess file and how this additional password protection can be set up.

Why additional password protection using the .htaccess file?

In short – additional password protection prevents access to the actual WordPress login interface or makes it very difficult, so that brute force attacks can be blocked before the actual attempted attack. Depending on their scope and intensity, such brute force attacks can massively increase the calls to the web server and thus paralyze the actual site. In addition, the actual risk of such attacks (namely that the password is found out by randomly trying all password variants) is minimized.

Set up an additional password query via the .htaccess file

Additional password query before the WordPress login interface

Setting up an additional password query is relatively easy. All that is needed is FTP access and a code editor to edit the .htaccess and create a new .htpasswd file (which stores the username and password).

.htpasswd Create password file

First we create an empty file named .htpasswd in the main directory of your WordPress installation (i.e. where the .htaccess file should already be). We then download the new, currently empty file to our computer and open it in a code editor. With the help of the online htpasswd generator, we can now enter a username and password and create the content for the .htpasswd file. We copy the code into the .htpasswd file and upload it back to the web server or overwrite the existing empty file.

htpasswd file WordPress

Screenshot: http://www.htaccesstools.com/htpasswd-generator/

Create .htaccess file

Now let’s create the code for the .htaccess file. The following code shows which content/lines are required here. It is important that the own AuthUserFile path to the .htpasswd file is determined and replaced in the code. To find out the path, the guide “How to find the full path to a file using PHP” can be used.

<Files wp-login.php>
AuthType Basic
AuthName "Geschützter Bereich"
AuthUserFile /path/to/.htpasswd
Require valid-user

If this code is additionally in the WordPress .htaccess file was inserted, this .htaccess file is now also uploaded to the main directory of your website.

If everything is set up correctly, a password prompt should now appear when you call up the WordPress login mask.

WordPress: cheat database login - publishingblog.ch Previous post WordPress: cheat database login
Secure WordPress login without passwords or CAPTCHAs Next post Secure WordPress login without passwords or CAPTCHAs