Last Updated: February 7, 2015 | Reading Time: 2 minutes
Everyone can easily guess how to enter your WordPress Admin Dashboard, yes by default it’s www.yoursite.com/wp-admin. Someone with evil-minded can easily target that login url using a brute-force software to try every username and password combination, that’s why we should never use a word based easy-guess password.
One of the basic protection is to use .htaccess
, I’ll show you how to do it.
Creating .htpasswd
First of all, create locally a file named .htpasswd, then generate a username and encrypted password using .htpasswd generator. Copy the result and paste into your newly created file.
Then upload the file into your server, you can put it somewhere inside or outside public_html
folder. In me case I put it into /home/pupung/
Creating .htaccess
Next step is to create .htaccess
file, create .htaccess
file with the same way you did on .htaccess
, here’s my code:
[shell]
ErrorDocument 401 “Denied”
ErrorDocument 403 “Denied”
# Allow plugin access to admin-ajax.php
# around password protection
Order allow,deny
Allow from all
Satisfy any
AuthType Basic
AuthName “Admin Only”
AuthUserFile /home/pupung/.htpasswd
Require valid-user
[/shell]
and upload it to wp-admin
folder.
You can test it by visiting your admin URL yourdomain.com/wp-admin and you will be prompted by a dialog box requested username and password.
Protecting wp-login.php
One more thing to do is protecting wp-login.php which is reside inside your root instalation of WordPress. I use the code below to protect it, just add after your WordPress’ .htaccess
lines.
[shell]
AuthName “Login Required”
AuthType Basic
AuthUserFile /home/pupung/.htpasswd
Require valid-user
[/shell]
Well done, now your wp-admin protected. Actually there are few more tricks how to protect your WordPress instalation, I’ll share it in another post. Thanks for reading.
One Response