Web Hosting

Please find below our list of Web Hosting guides to help with your hosting account.

How to password protect WordPress wp-login.php

This article was posted in: Web Hosting

Content Management Systems (CMSs) like WordPress are under constant attack from the internet. Criminals will persist in trying to guess your passwords, so it's very important to take steps to protect your website as much as possible. One such step is to apply an extra level of security around your website's login page.

The example below is based on WordPress, but could as easily be applied to Joomla, Drupal and many more popular web applications, inlcuding ecommerce or forums etc.

This guide assumes a reasonable level of skill in using the FileManager within cpanel to locate, create, and edit files. Either that, or you should be able to edit files locally on your computer, and then be able to upload them using FTP/SFTP.


Step 1 - Create the encrypted password

Open your favourite web browser and go to http://www.askapache.com/online-tools/htpasswd-generator/

Username for logging in : enter the preferred username here (no spaces!)
Password for the : enter a strong password here (8 chars minimum including numbers, upper and lower case and symbols)
Realm or Popup Name : Just enter a title for the popup security notice
Encryption Algorithm : md5
Authentication Scheme : Basic

Click the Generate HTPASSWD button.


This will produce some output, including the MD5 Algorithm, as shown. Now, copy the contents of the text box into the clipboard.


Step 2 - Create the password file in your cPanel account

Create a file named .passwd in the root of your home directory. i.e. the directory above public_html/

Now, edit that file and paste in the clipboard from Step 1. The contents of your .passwd file should now look like this:

john:$apr1$b6g738w9$IljNz.J5i5h4o93uqGz.f1

Now save the file. That was easy wasn't it!


Step 3 - Modify/create a .htaccess file

Now that we have created our .passwd file, we now need to tell the webserver which files it should protect. To do this we must edit, or create a .htaccess file in your public_html/ directory. Depending on your WordPress settings, you may already have a .htaccess file here. If you don't, then create one using FileManager.

Add the following to the top of .htaccess


AuthType Basic
AuthName "Authorized Only"
AuthUserFile /home/username/.passwd
Require valid-user
ErrorDocument 401 default

Replace username, above with your cPanel username. Once, you have finished, then save the file.

That's it! Next time you try to login to your WordPress site the web server will ask you to enter the username and password. Better yet, if this is entered incorrectly more than a handful of times within a few minutes, then we will automatically block the IP address, meaning that the attacker hasn't even loaded the WordPress login page at all.