Using the steps below, I’ll show you how to create password protection for your /wp-admin directory. We’ll also copy those rules over to protect your wp-login.php script to keep WordPress as safe as possible.

1. Under the Files section, click on Directory Privacy.

   

2. Click the Settings button.

   

3. In the pop-up box, select your domain in the drop-down menu labelled Document Root, then click Save Changes

   

4. Click on the text, not the folder icon, for your wp-admin directory.

   

5. Check Password protect this directory, give it a name, then click Save.

   

6. Now click on Go Back.

   

7. Under the Create User section, input a user name and then click on Password Generator.

   

8. In the pop-up mini-window copy the given password, and then check I have copied this password in a safe place.
   Then click Use Password.

   

9. Now click on Save.

   

10. Click on Go Back.

    

11. Try to access your /wp-admin directory.
    Your browser will prompt you for the password you just created.
    Type in your username / password, and click Log In

    

12. Your normal WordPress admin login page should now display.

    

13. Now go back to cPanel.
    Under the Files section, click on File Manager.

    

14. Click the Settings button.

    

15. Then select the Document Root for your domain, and check Show Hidden Files (dotfiles). Finally, click Save.

    

16. From the left-hand directory listing, expand public_html.
    Click on wp-admin, then right-click on your .htaccess file.
    Then click on Code Edit
    For the encoding pop-up, click on Edit again to bypass that.

    

17. Copy all the code in the .htaccess file.

    

    While you still have the /wp-admin/.htaccess file open, also go ahead and add the code in red:

    ErrorDocument 401 “Denied”
    ErrorDocument 403 “Denied”

    # Allow plugin access to admin-ajax.php around password protection
    <Files admin-ajax.php>
    Order allow,deny
    Allow from all
    Satisfy any
    </Files>

    AuthType Basic
    AuthName “Secure Area”
    AuthUserFile “/home/example/.htpasswds/public_html/wp-admin/passwd”
    require valid-user

18. From the left-hand directory listing, click on public_html.
    Right-click on your .htaccess file, then click on Edit.

    

19. Now paste the .htaccess code you copied, in-between some <FilesMatch> tags, so that it ends up looking like this:

    

    ErrorDocument 401 “Denied”
    ErrorDocument 403 “Denied”

    <FilesMatch “wp-login.php”>
    AuthType Basic
    AuthName “Secure Area”
    AuthUserFile “/home/example/.htpasswds/public_html/wp-admin/passwd”
    require valid-user
    </FilesMatch>

    Then click on Save Changes up at the top-right.

20. Now if someone tries to directly login via wp-login.php they will be prompted for a valid user as well.

    

21. When a user enters invalid credentials are, they will get an Authorization Required error. They will then not be able to attempt to login to your WordPress admin directly.

    

Source