As wordpress continues to flourish as the most popular CMS on the internet, so too does its popularity as a target for hackers who want to gain unauthorized access to your site. Hopefully you’ve read and implemented 5 Quick and Easy WordPress Security Tips, or maybe you’re using one of the popular wordpress security plugins to accomplish an equivalent level of security and that’s great, but let’s take things one step further and add an additional level of security to the wp-login.php of a wordpress site. We will eliminate the possibilities of brute-force attacks and un-authorized login attempts by requiring an additional username and password before the wp-login.php page can be accessed. The user will be asked to enter a user name and password ( Not a wordpress user ) before they will be taken to the native wordpress login page. If the incorrect credentials are entered several times within a few minutes, the users ip address will be blocked, preventing them from ever reach your wordpress login page.
Implementing this feature is relatively simple and can be completed by following the steps listed below:
Head over to AskApache and generate an .htpasswd file. After filling in a user name and password, select md5 as the encryption algorithm and a basic authentication scheme will work just fine.
On the following screen you’ll see two blocks of code. One should look like this:
Paste this into a .passwd file you’ll need to create in the root directory ( “/home/username/” ) of your server.
The second block of code should look like this:
< filesmatch "wp-login.php"> AuthType Basic AuthName "Authorized Only" AuthUserFile /home/username/.passwd Require valid-user < /filesmatch> ErrorDocument 401 default
This can be pasted into the top of the .htaccess file of the site(s) you’d like to protect. Be sure to replace the file path to reflect where you created the .passwd file in the first step and remove the space before each “filesmatch” tag.
Save both files and you’re all set. You should be prompted for the new username and password before reaching the wp-login page. If the incorrect username and password is entered incorrectly several times within a few minutes, the ip address will be blocked and the user will have never reached the wp-login page.