Htaccess Password Protect Word Press Admin


Brute force cracking Word Press sites admin login is rampant because it is very easy. Word Press doesn’t offer much in the way of the way helping protect your blog from such attacks. Brute force attacks is a method of trying to guess the password either systematically or via a common password dictionary list. One of the easiest ways to deter would be hackers is to add a second layer of password authentication to the administration area. Using htaccess rules to require a password before getting to the WP admin password will thwart nearly all the cracking bots out there. Just be sure you make the new htaccess login user name and password completely different than the one used by WP.

To setup htaccess password protection for your Word Press admin area you need to first create a text document called .htpasswd. You can either use the linux shell htpasswd or the online tool HTPasswd Generator. Once you created this file save it or upload it to your wp-admin directory. (It needs to have the period at the front of the file—the period hides the file from view and access by direct web access on the linux apache system.)

Next you need to edit or create a file in your wp-admin directory called .htaccess it should look like so:

ErrorDocument 401 "Access Denied"
ErrorDocument 403 "Access Denied"
AuthName "AuthorizedAccess"
AuthUserFile "/home/your site/www/wp-admin/.htpasswd"
AuthType Basic
require valid-user

In the line that starts with AuthUserFile you will need to adjust the path to where the .htpasswd file you will create will be located. In most linux servers the path needs to be absolute, so it has to start at /home or whatever the start is, you can’t just go AuthUserFile .htpasswd (On most servers.)

Now when you access your wp-admin page you will get an htaccess popup window requiring the user name and password from the .htpasswd file first before you can access the Word Press login.


Leave a Reply