WordPress Security – Adding Additional Protection to Your Login Page

Table of Contents

  1. 1. 5

wordpress-security-smI recently found myself right in the crosshairs of a brute force attack on a couple of my WordPress sites by someone who was adamantly trying to login. I wasn’t really all that worried – I’ve made sure to follow my own advice regarding security.

But it was annoying.

The login attempts were coming from all kinds of different IP addresses, and all kinds of locations, and they kept trying the same set of usernames over and over again. And even though I’ve followed what I believe to be best practices and using security tools like CloudFlare and WordFence the attempts just kept coming.

I’ve got a lot of work to do, and the notifications were steadily flooding my inbox. Hundreds of them. Even though I could simply turn off the notice that the malicious attempt was blocked, that wasn’t enough for me. I wanted it stopped.

As always, there is more than one way to solve the problem, but I wanted something simple that wouldn’t require another plugin.

I found lots of different approaches and methods – like changing the path to the login.php page, various plugins, and restricting access to allow it only from specific IP addresses, among others.

However, I needed something that would enable me to work on my site wherever I have an internet connection, and most of those either weren’t quite what I was looking for, weren’t necessarily the best practice, were too restrictive, or some combination of those things.

private-accessI found this one on the main WordPress site here. This was the perfect solution and it works like a charm.

The thought process here is I want to add another layer of protection by password-protecting the login page. In order to add this additional layer of security to my site I needed to create a new document called .htpasswd.

You can use this tool here to generate the the encrypted password for your .htpasswd file. I’d recommend to create a different username and password than what you normally use for your WordPress login, and don’t use admin as your username for either one.

I created a new file, named it .htpasswd, uploaded it to a non-public directory, which is a different directory than where my .htaccess file lives in the regular web root, and made sure the file permissions were set correctly so there wouldn’t be any security issues.

Once that file was created, there was an addition that needed to be made to my .htaccess to update a couple things and map where it needs to look for the authentication file.

Here is what needs to be added to the .htaccess. (Always make sure you’ve got a backup copy of your file before you make changes.)

# Stop Apache from serving .ht* files
<Files ~ "^\.ht">
Order allow,deny
Deny from all

# Locking down the wp-login.php page
<Files wp-login.php>
AuthUserFile ~/.htpasswd // this is where you'll need to make sure you've got your path set correctly to your encrypted user password file.
AuthName "Restricted access"
AuthType Basic
require user youruser // this is where you place your separate username to gain access to the login page


After you’ve added those changes to your .htpasswd file. Enter your new username and password and then submit. Then once authenticated, you should then be brought to your wp-login.php page where you can enter your WordPress username and password.

The good thing is that the attempts to break in to my sites were never successful, and my site never had any problems at all. Performance was solid before, during and after. Most importantly everything was safe and secure.

There are other options to lock up your WordPress site, but this did the trick for me. The attempts ceased as soon as I implemented this solution. Not a single attempt since.

See Also:

How To Set Up Your Theme In WordPress?


"Looking for some help on how to set up your theme in WordPress? One of the biggest things I obsessed over when I was getting started was how my new site was going to look. I’ve always been obsessed with design and aesthetics, so I immediately gravitated to figuring out how to make my new […]"

Keep Reading...

Website Content Is Important – 7 Surprising Pages You Need On Your Website


"Website content is important. But that begs the question, “why”? Why is website content so important? Website content is important because it’s the bread and butter of your online business. It’s the one thing that makes everything on your site work together – the design, the architecture, the branding – all of it. So it […]"

Keep Reading...

What Type of Blogs Make the Most Money?


"What type of blogs make the most money? Starting a blog is one of the first things that people think about when they start thinking about trying to make money online. But for most beginners they don’t know what type of blogs make the most money, so they get stuck and end up wasting a […]"

Keep Reading...

What’s the best ClickFunnels email integration?


"What’s the best ClickFunnels email integration? Here’s the deal: I’m not going to review 27 different email platforms and tell you what features they have and all that stuff. If you’re like me, you’re just looking for something that works, that’s affordable, and that’s easy to use. That’s why you’re looking for the best ClickFunnels […]"

Keep Reading...

Introducing The New WordPress Gutenberg Editor | How To Make A WordPress Blog Step-by-Step 2020


" The new WordPress Gutenberg editor is a completely new content creation experience from the Classic Editor. With the release of WordPress 5 they have rolled out a completely new editor based on a block system. Some love it, many hate it. But it’s here to stay, so we all better get used to it! […]"

Keep Reading...

How to Choose a Domain Name


"You choose a domain name by thinking about what people will type into their browser when they want to visit your website. You also need to think about how easy it is to remember and spell, as well as whether or not there are any other websites with that exact same name. The first thing […]"

Keep Reading...

6 Reasons Why You SHOULD Hire a Website Designer in 2020


"A while back I had someone contact me about rebuilding her website. She had been using a site builder, and a bunch of plugins, but realized that she’d just outgrown what she was capable of doing and was frustrated. “I’m not a designer, I’m not a developer,” she said. “I know this isn’t working for […]"

Keep Reading...

What Do I Need From A Web Hosting Company?


"So, you may be thinking, “great, I’m ready to go!” Not so fast my friend. Figuring out what kind of hosting service you need is just the first step. Not all hosting companies are created equally and you need to know what to look for when it comes to choosing a web host. I already […]"

Keep Reading...

How does ClickFunnels Work?


"ClickFunnels is a lot more than just a page builder for your funnel pages. It’s a website builder, but a very specific kind of page builder, designed very specifically to build online sales funnels and handle everything you need from the ability to process payments to building out membership sites. ClickFunnels is entirely web-based so […]"

Keep Reading...

What do I do when I can’t get design clients?


"What do I do when I can’t get design clients? I remember the days when I was first getting started and how hard it was. Good thing for me was I didn’t even really know how hard it was going to be, or I’d probably have given up! So I can sympathize when new designers […]"

Keep Reading...