Secure WordPress or wp-login.php via .htpasswd and .htaccess

Actually, I’m almost on my way to Spain and I’ve already said that I don’t have much time for a few weeks. Somehow, annoying, annoying attackers seem to smell it and force me to set up another security layer for my WordPress blog. I’ve actually wanted to do this for a long time, but to be honest I’ve forgotten it or kept pushing it away. It’s that simple and only requires creating a file called .htaccess.

My server (VPS / root server) is actually quite well secured and fail2ban works fine. The backup also purrs as it should.

wp-login.php is actually secured, but…

When I installed fail2ban, failed login attempts via wp-login.php are already active. A filter is responsible for this, which is located here /etc/fail2ban/filter.d/apache-wp-login.conf.

The stupid thing is that I woke up today and then had a bunch of emails like this: Someone requested a password reset for the following user account:

It’s not that bad, but I don’t really feel comfortable with it either. That’s why we put a stop to the hustle and bustle and protect wp-login-php with a web server-side password. In my case this is Apache.

Create .htpasswd

The .htaccess file comes with the WordPress installation and we’ll need that later. First of all you have to create a file called .htpasswd (note the dot in front of the file!) and store the user name and the hash of the desired password there.

The .htpasswd file doesn’t need to be in the root of your WordPress installation, and it’s not there for me either. It’s somewhere in the system and that’s another mystery for potential attackers. The password is not stored in plain text, but still. Well hidden is well hidden. In addition, we would later instruct Apache not to serve files of type .ht* anyway.

You can generate the corresponding entry via If you don’t trust the peace, there are also instructions there on how to create the password via your own server. To do this, you create a PHP file and call it up accordingly.

Here is an example with user TOP SECRET and password STILL SECRET. Then the following comes out:

Create .htpasswd

Tell Apache to ask for the password

Once the .htpasswd file has been created, adjust the .htaccess file. How this works is also described on the WordPress page. There you will find the instructions if you should not use Apache, but Nginx.

Below is how I implemented this.

# Stop Apache from serving .ht* files
<Files ~ "^.ht">
Order allow,deny
Deny from all

# Protect wp-login
<Files wp-login.php>
AuthUserFile /ABSOLUTER/PFAD/.htpasswd
AuthName "Private access"
AuthType Basic

If you have problems logging in, check the /var/log/apache2/error.log file. It’s Saturday morning and I made a typo. This then ended in a 500 Internal Server Error. But I didn’t see the typo right away and thought: #$@ยง%&!

cat /var/log/apache2/error.log

then brought light into the darkness and the error message was:

[authn_file:error] [pid 4235] (2) No such file or directory: [client XX.XXX.XX.X:51090] BLAZE: Could not open password file: /XXX/XXXXX/XXX/.htpasswd

But now everything works and if I want to log into my WordPress backend, then another protective layer is implemented.

Wordpress and wp-admin or wp-login.php are even better protected

WordPress and wp-admin or wp-login.php are even better protected

Login-Anmelden-bei-Wordpress-joomla-typo3-shopware-contao Previous post Login, login to the backend – WordPress, Joomla, Typo3 and Co – KaGu
Identity card portal - Applications - Login to WordPress-based websites with the online ID card Next post Identity card portal – Applications – Login to WordPress-based websites with the online ID card