To log in to WordPress website, wp-login.php is the default login page which in turn redirect to wp-admin directory when the user has successfully logged in. What does this mean? It means that hacker or attacker who wants to attack any WordPress site can run a brute force attack on the above specific page and may cause a heavy load on the server. In this post, I will show you how to add extra login security in WordPress without plugin to protected these page (wp-login.php) and directory (wp-admin). After protected, any user (including the site admin) will get the following popup window before getting the login or admin page.
Create A Password File
Create a file name .htpasswd that will store your username and password. You can use this link to generate the username and encrypted password. You need to add the generated text into the .htpasswd and upload it to the server. A good path will be outside the /public_html/ directory which will be more secure.
Password Protected wp-login.php
Open file name .htaccess that are in the root directory of your website. If you don’t have one, create it. and add the following line of code.
<Files wp-login.php>
AuthUserFile “/path/to/your/.htpasswd”
AuthGroupFile /dev/null
AuthName “Admin Only”
AuthType Basic
require user username
</Files>
In the above code remember to replace the path with the Full Path to your .htpasswd and also replace the username with the username that is in the .htpasswd
Password Protect wp-admin Directory
To protect your wp-admin directory, you need to follow the same procedure above. But, there will be a slight change in the code. And upload the .htaccess file to the wp-admin directory.
AuthUserFile “/path/to/your/.htpasswd”
AuthGroupFile /dev/null
AuthName “Admin Only”
AuthType Basic
require user username
The same thing you need to do here. Change the path and the username.
After you have completed the above steps, the structure where .htaccess will look something like the picture below
Now you have successfully added an extra layer of authentication for login in WordPress.
How To Fix Admin Ajax Issue?
Password Protecting the wp-admin will break the Ajax functionality if used. It will cause the plugins or theme that depends on it to break. To solve the issue, paste the following code in the .htaccess located under the wp-admin folder.
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>
How To Fix 404 Error Or Too Many Redirects?
Sometimes password protecting may cause a 404 error or Too many redirects, to fixed the issue, simply add the following one line of code to the main .htaccess file.
ErrorDocument 401 default
Hope that this article has helped you in adding additional authentication to your WordPress website. If you have any problem while performed any of the above steps, please feel free to leave a comment. I will be glad to help you.