Using the steps below, I’ll show you how to create password protection for your /wp-admin directory. We’ll also copy those rules over to protect your wp-login.php script to keep WordPress as safe as possible.

  1. Under the Files section, click on Directory Privacy.

    click on password protect directories

  2. Click the Settings button.

    select document root click go

  3. In the pop-up box, select your domain in the drop-down menu labelled Document Root, then click Save Changes

    select document root click go

  4. Click on the text, not the folder icon, for your wp-admin directory.

    click on wp admin

  5. Check Password protect this directory, give it a name, then click Save.

    check password protect name directory click save

  6. Now click on Go Back.

    click go back

  7. Under the Create User section, input a user name and then click on Password Generator.

    click on password generator and use password

  8. In the pop-up mini-window copy the given password, and then check I have copied this password in a safe place.
    Then click Use Password.

    click on password generator and use password

  9. Now click on Save.

    click on add authorized user

  10. Click on Go Back.

    click on add authorized user

  11. Try to access your /wp-admin directory.
    Your browser will prompt you for the password you just created.
    Type in your username / password, and click Log In

    authentication required click on log in

  12. Your normal WordPress admin login page should now display.

    wordpress admin click on log in

  13. Now go back to cPanel.
    Under the Files section, click on File Manager.

    click on file manager and go

  14. Click the Settings button.

    click on the settings button

  15. Then select the Document Root for your domain, and check Show Hidden Files (dotfiles). Finally, click Save.

    select document root, hidden files, and click save

  16. From the left-hand directory listing, expand public_html.
    Click on wp-admin, then right-click on your .htaccess file.
    Then click on Code Edit
    For the encoding pop-up, click on Edit again to bypass that.

    click on wp admin and code edit htaccess file

  17. Copy all the code in the .htaccess file.

    copy htaccess text

    While you still have the /wp-admin/.htaccess file open, also go ahead and add the code in red:

    ErrorDocument 401 “Denied”
    ErrorDocument 403 “Denied”

    # Allow plugin access to admin-ajax.php around password protection
    <Files admin-ajax.php>
    Order allow,deny
    Allow from all
    Satisfy any
    </Files>

    AuthType Basic
    AuthName “Secure Area”
    AuthUserFile “/home/example/.htpasswds/public_html/wp-admin/passwd”
    require valid-user

  18. From the left-hand directory listing, click on public_html.
    Right-click on your .htaccess file, then click on Edit.

    click on public_html and code edit htaccess file

  19. Now paste the .htaccess code you copied, in-between some <FilesMatch> tags, so that it ends up looking like this:

    save public_html htaccess file

    ErrorDocument 401 “Denied”
    ErrorDocument 403 “Denied”

    <FilesMatch “wp-login.php”>
    AuthType Basic
    AuthName “Secure Area”
    AuthUserFile “/home/example/.htpasswds/public_html/wp-admin/passwd”
    require valid-user
    </FilesMatch>

    Then click on Save Changes up at the top-right.

  20. Now if someone tries to directly login via wp-login.php they will be prompted for a valid user as well.

    wp login bad password attempt

  21. When a user enters invalid credentials are, they will get an Authorization Required error. They will then not be able to attempt to login to your WordPress admin directly.

    wp login bad password attempt blocked

Source

Leave a Reply

Your email address will not be published. Required fields are marked *