I receive an awesome WordPress security question from Shannelle:
You’ve mentioned that you got to do a login page to access the real login page, and I was wondering, how did you do that? I’m being bothered by so many emails about people trying to access my site. Thanks!
This question is fully answered in the Make WordPress Your Bitch e-course, but I’ll also go over it here on the blog.
I protect my admin area with an “htpasswd” prompt.
Here’s what it looks like:
This little box keeps all the asshats out.
If you look at the screenshot, you’ll see that I’m on the login page, right? But before the login page loads, a prompt comes up saying “Authentication Required”.
Before anyone can gain access to the WordPress login form, they first have to pass this second security check. See where I’m going with this?
They have to fill out a different username and password BEFORE they can access the normal login form. That means, in order to gain access to my admin panel, you have to know two different username and password combinations. This immediately doubles my security.
How to set up an htpasswd prompt in cPanel
This tutorial assumes that your host uses cPanel. Most do, but if you’re not sure you can ask your web host.
In my above example, I’ve actually protected the wp-login.php page because that’s what I prefer for my own site. But for the sake of creating a simpler tutorial to follow, we’re actually going to protect the entire /wp-admin/ directory. You’ll notice that the whole admin area has /wp-admin/ in the URL, so we’re basically protecting all those pages.
Because of this difference, the process will actually be reversed for you.
- First they get the WordPress login.
- After SUCCESSFULLY getting through that, they THEN get the htpasswd box.
- They cannot access the admin area until getting through the htpasswd prompt.
I prefer my method where the htpasswd box comes first and WordPress login comes second, but that involves protecting a file. If I’m being honest, I have no idea how to do a tutorial for that in cPanel. My site doesn’t use cPanel (I have a dedicated server and do everything through command prompt).
So in order to provide a tutorial that most people can follow (using cPanel) I have to use a different method.
But ultimately we’re offering the same protection—it’s just happening in a different order.
Step #1: Login to cPanel
Login to cPanel with your web host. Scroll down and look for the section called “Security”. Then click the icon named Password Protect Directories.
Step #2: Choose the directory
As soon as you click that icon, you’ll get a popup box that looks like this:
Select Web Root and click Go.
You will be brought to a new page that lists the directories in your root. You want to choose wp-admin.
Step #3: Set your username and password
Finally, you will be brought to this next page:
There are a few things you need to do:
- Check the box to “Password protect this directory”.
- Enter a name. This can be anything. It’s just a message that appears in the prompt.
- Create a new user: set a username and password. This is what you will need to enter in the login prompt each time. Be sure to save these details in 1Password or LastPass so you don’t forget them!
Save all your changes once you’ve filled them out.
Step #4: Test it!
Once you’re done, the protection should be in place. Visit http://yoursite.com/wp-admin to confirm. The prompt should come up! Now you’ve got an extra layer of protection. GO YOU!
Looking for more security advice and WordPress tips?
This lesson is from the free Make WordPress Your Bitch e-course. Sign up for more free goodies like this one!
Sign up for
Make WordPress Your Bitch
Wow Ashley… I wished I had your brain.. not that I’m a zombie or anything, LOL I have had so many attempts by hackers to get my site.. I did install a different plugin, so if that doesn’t work, I’ll 100% be doing your method.. What loosers they are.. don’t they have something else to do with their time, like be NICE people? GEEEZ!
I know, I hate hackers! They need a life!
Nice trick, I’m going to try it out.
Good luck! 🙂
Excellent!! Just what I needed, because I really hate having people just go directly to login page like that. I know there are plugins we can use to hide WordPress and such, but it usually changes stuff way too much and I can’t deal lol. But this is simple enough to just push the spammers away.
(p.s. I don’t know why my email was misspelt in the last comments on your site, so disregard the above comment from Me lol)
Yeah I don’t really think you need to go through a whole thing of hiding WordPress from people. Just a few simple things will protect your site in a fantastic way. 🙂
Hey Ashley! Question for ya, so I did the tut and it does totally work. Only thing is I’m seeing where the bypass/login thingy shows up on like every page I visit. Any ideas why it’s doing that? I set it specifically for the wp-admin folder of my site, but not sure why it shows up when I visit a post, etc. Any ideas how to fix that?
Also, if we wanted to remove this hack, what’s the best way to do so?
I think you might have to talk to your web host about what might have gone wrong. It sounds like the wrong directory might have been selected somehow and they’d be in the best position to look into that!
They should also be able to walk you through how to remove it.
I wish I could help but I actually don’t use cPanel myself so there’s only so much I know about the process (for instance, I know how to add htpasswd but not sure what the steps are to remove it through cPanel). I go through a totally different process when I set it up on my own site!
Don’t worry. I got it removed. Turns out simply unchecking the password protect this directory box and saving yet again removed it. I’ll talk with my host and find out why it was causing it to show on all pages of the site on the front end. Totally weird. I hope I can use this neat trick because the spammers love to try to hack or at least try to access into my site.
I’m glad you managed to figure it out! Go you!
This is a great tip! I didn’t even know this was possible. Thanks for sharing!
Hey Ashley, this tutorial seems interesting and I want to do it but I have a question first, is it normal to be asked to enter my password everytime that I need to access to my WP admin dashboard? Is there a way to be logged in always, as in Google or any social media account? If not, does that mean that I’ll have to enter 2 passwords after I implement this tutorial? Thanks in advance!
Most browsers have an option to remember passwords so you won’t be prompted every time. 🙂
Thanks for your reply Ashley, actually my cookies are enabled, and the “remember me” box is checked, sometimes the password is there so I just click to access, but most times I have to type it. All my passwords are saved in Chrome and Firefox and yet I have to login always only in WP, the rest of the websites work ok. Anyway, I will ask for help in the WP forum and then I’ll try to implement this. Thanks for your time.
I had to follow a tutorial of my own web host because it worked a little different but thanks for the tip. I didn’t even know this was possible.
I followed all the steps but when I tried it, the prompt doesn’t appear :S Do you think I could have done something wrong?
That might be something you’ll have to talk to your web host about. It’s possible you selected the wrong directory or something is more generally not set up correctly on your account. Your host will be in the best position to look into that for you. 🙂