WordPress Security – Adding Additional Protection to Your Login Page

Table of Contents

  1. 1. 5

wordpress-security-smI recently found myself right in the crosshairs of a brute force attack on a couple of my WordPress sites by someone who was adamantly trying to login. I wasn’t really all that worried – I’ve made sure to follow my own advice regarding security.

But it was annoying.

The login attempts were coming from all kinds of different IP addresses, and all kinds of locations, and they kept trying the same set of usernames over and over again. And even though I’ve followed what I believe to be best practices and using security tools like CloudFlare and WordFence the attempts just kept coming.

I’ve got a lot of work to do, and the notifications were steadily flooding my inbox. Hundreds of them. Even though I could simply turn off the notice that the malicious attempt was blocked, that wasn’t enough for me. I wanted it stopped.

As always, there is more than one way to solve the problem, but I wanted something simple that wouldn’t require another plugin.

I found lots of different approaches and methods – like changing the path to the login.php page, various plugins, and restricting access to allow it only from specific IP addresses, among others.

However, I needed something that would enable me to work on my site wherever I have an internet connection, and most of those either weren’t quite what I was looking for, weren’t necessarily the best practice, were too restrictive, or some combination of those things.

private-accessI found this one on the main WordPress site here. This was the perfect solution and it works like a charm.

The thought process here is I want to add another layer of protection by password-protecting the login page. In order to add this additional layer of security to my site I needed to create a new document called .htpasswd.

You can use this tool here to generate the the encrypted password for your .htpasswd file. I’d recommend to create a different username and password than what you normally use for your WordPress login, and don’t use admin as your username for either one.

I created a new file, named it .htpasswd, uploaded it to a non-public directory, which is a different directory than where my .htaccess file lives in the regular web root, and made sure the file permissions were set correctly so there wouldn’t be any security issues.

Once that file was created, there was an addition that needed to be made to my .htaccess to update a couple things and map where it needs to look for the authentication file.

Here is what needs to be added to the .htaccess. (Always make sure you’ve got a backup copy of your file before you make changes.)

# Stop Apache from serving .ht* files
<Files ~ "^\.ht">
Order allow,deny
Deny from all

# Locking down the wp-login.php page
<Files wp-login.php>
AuthUserFile ~/.htpasswd // this is where you'll need to make sure you've got your path set correctly to your encrypted user password file.
AuthName "Restricted access"
AuthType Basic
require user youruser // this is where you place your separate username to gain access to the login page


After you’ve added those changes to your .htpasswd file. Enter your new username and password and then submit. Then once authenticated, you should then be brought to your wp-login.php page where you can enter your WordPress username and password.

The good thing is that the attempts to break in to my sites were never successful, and my site never had any problems at all. Performance was solid before, during and after. Most importantly everything was safe and secure.

There are other options to lock up your WordPress site, but this did the trick for me. The attempts ceased as soon as I implemented this solution. Not a single attempt since.

See Also:

How To Set Up Your MailChimp Account | How To Make A WordPress Blog Step-by-Step 2020


"Looking for help on how to set up your Mailchimp account? I’ve got you covered. One of the things that I’ve heard over and over again from successful digital marketers is how they wish they’d started building their list earlier. The importance of building your audience and building your email list cannot be overestimated. It’s […]"

Keep Reading...

How To Set Up Monster Insights | How To Make A WordPress Blog Step-by-Step 2020


" Monster Insights for Google Analytics makes it easier and faster to understand the traffic to your website. Being blunt, website analytics can be really tough to understand. The problem, as great as Google Analytics is, it can be overwhelming to understand all that it shows you. And if you’re confused you’re going to avoid […]"

Keep Reading...

What Is A Value Ladder And Why Does It Matter?


"If your business is going to survive and thrive in 2021 then you need to make sure that your value ladder is dialed up and ready to go! But maybe you’re wondering – what is a value ladder? The definition of a value ladder is: the value ladder is a tool used in a business as […]"

Keep Reading...

How To Go Live On Facebook: A Complete Guide for Profiles, Pages & Groups


"How to go live on Facebook Organic marketing on Facebook is one of the best ways to grow your business. And one of the best ways to increase your visibility – literally – is to go live on Facebook. So how do you go live on Facebook? To go live on Facebook the basics are […]"

Keep Reading...

What Are The Different Types of Web Hosting?


"What is Free Web Hosting? When it comes to figuring out how to host your website, there is good news, and bad news. First – the good news: You don’t have to pay for web hosting! That’s right – there are tons of places you can host your site for free. However, before you run […]"

Keep Reading...

Is Email Marketing Still Effective In 2021?


"Email marketing is still among the very most effective marketing tactics in 2021, here’s why. Email is still one of the most effective ways to connect and market to your target audience. People question the effectiveness of email marketing because it’s often done wrong or little effort is put into doing it right. According to […]"

Keep Reading...

How To Set Up Wordfence | How To Make A WordPress Blog Step-by-Step 2020


"Outside of driving traffic to your website security is probably one of the biggest concerns of all WordPress website owners, so in this video I’m going to show you how to set up WordFence – one of the top plugins for securing your self-hosted WordPress site. The problem is that, because of how easy it […]"

Keep Reading...

Ever had that dream where you’re trying to run – but CAN’T?


"Picture this: In your dream, you’re trying to escape some kind of monster that’s chasing you and you’re working SO HARD to move as fast as you can, but it’s like you’re trying to run through quicksand and you’re not getting anywhere! Ever had that feeling? Yep – me too, and it’s the WORST! You […]"

Keep Reading...

How to find your voice and approach


"Finding your voice is one of the most important parts of when you’re going to start a new blog. And one of the feelings that people get when they start to think about how they’re going to approach their topic usually sounds a little like this: “I’m not an expert, I can’t do this!” It […]"

Keep Reading...

How to Generate Leads For Realtors in 2021


"How to generate leads for realtors The real estate market is absolutely on fire in 2021! So, as a realtor, how do you tap into this market? And an even better question is, how are you going to make sure your sales funnel stays funnel if and when things cool off? Having a constant source […]"

Keep Reading...