Knowledgebase
Wordpress security - protecting login (WP)
Posted by SITEWORKS SYS on 20 July 2014 11:04 PM

Wordpress should be kept updated to latest versions, including themes and plugins.

*Please install the WORDFENCE plugin on all Wordpress installations ( https://wordpress.org/plugins/wordfence/ )*

Measures You Can Take to Prevent Brute Force Attacks

The following steps can be used to secure (by password protection) wp-login.php for all WordPress sites in your cPanel account. This will help deter this type of attack.

How to Password Protect the wp-login.php File

There are two (2) steps in accomplishing this. First you need to define a password in the .wpadmin file, and then you activate the security in the .htaccess file.

Step 1: Generate Password File & Uploading Via File Manager

One way to do this is to generate the file using the website linked below, and then upload it to your site via FTP or File Manager. In the directions below, we will use File Manager, but you could use FTP instead, for those of you familiar with FTP.

  1. Visit: http://www.htaccesstools.com/htpasswd-generator/
  2. Use the form to create the username and password.
  3. Login to cPanel in another window or tab.
  4. Click on File Manager.
  5. Select Home Directory.
  6. Check Show Hidden Files (dotfiles) if not already checked.
  7. Click on the Go button.
  8. Look for a .wpadmin file.
    • If one exists, right click on it and select Code Edit to open the editor. Click on the Edit button to edit the file.
    • If one does not exist, click on New File at the top of the page, and specify the name as .wpadmin (with the dot at the front) and click on the Create New File button.
  9. Paste the code provided from the website in step 2.
  10. Click on the Save Changes button when complete.
  11. You can Close the file when finished.

Step 2: Update the .htaccess File

All domains under the home directory will share the common .wpadmin file. (The command listed in Option B above creates the /home/username/.wpadmin file due to the -c.)

The last step is to place the following code in the /home/username/.htaccess file:

ErrorDocument 401 "Unauthorized Access"
ErrorDocument 403 "Forbidden"
<FilesMatch "wp-login.php">
AuthName "Authorized Only"
AuthType Basic
AuthUserFile /home/username/.wpadmin
require valid-user
</FilesMatch>

Note: replace "username" above with your cPanel username.

(532 vote(s))
Helpful
Not helpful

Comments (0)