No matter how big your website is, you should take extra care of security. There are many different ways of protecting your WordPress website. In this article, we will show you how to limit access to your login page and stop people from even trying to login.
If you have a standard installation of WordPress, you will have the same link to the login page as millions of other users. That means it is easy to access your login page just by typing /wp-admin at the end of your homepage. Yeah, it is password protected but still opened for various brute force attacks. It would be a good idea to prevent unauthorized access to this page.
If your site is hosted on a PHP hosting (which it probably is), you can use a simple method by adding a username and password for you login page.
It can be done by editing .htaccess and creating a .htpassword file.
Let’s start by creating a password file and uploading it to your server:
- Go to http://aspirine.org/htpasswd_en.html
- In the left box, add one user per line
- Click “Generate Passwords”
- In the right box, click “Generate htpasswd content”
- Save the content from the second box into “.htpassswd” file without any extension
- Upload newly created file on your server
Even though you can name this file whatever you want (like password.txt), it is recommended to use default file name. Apache server is configured in a way it won’t let access to this file while other file names/extensions would be available for editing thus making all this extra security worthless.
Now you’re ready to edit .htaccess file which can be found on your server in the main directory:
- Navigate to .htaccess and open it
- add the following lines to your file:
- Change ~/.htpasswd to location of the file you have uploaded in the previous step
- Change “wploopuser” to username you have entered into password generator and the file
- Save changes
# Stop Apache from serving .ht* files <Files ~ "^\.ht"> Order allow,deny Deny from all </Files> # Protect wp-login <Files wp-login.php> AuthUserFile ~/.htpasswd AuthName “Private access” AuthType Basic require user wploopuser </Files>
Now, before you can even get to the WordPress login page you will have to enter username and password you have created in the previous steps. Yes, now you have to enter two different usernames and passwords before you can login to your site; don’t be lazy, this might save you from random attacks and save you a site.