I receive an awesome WordPress security question from Shannelle:
You’ve mentioned that you got to do a login page to access the real login page, and I was wondering, how did you do that? I’m being bothered by so many emails about people trying to access my site. Thanks!Shannelle
This question is fully answered in the Make WordPress Your Bitch e-course, but I’ll also go over it here on the blog.
I protect my admin area with an “htpasswd” prompt.
Here’s what it looks like:
This little box keeps all the asshats out.
If you look at the screenshot, you’ll see that I’m on the login page, right? But before the login page loads, a prompt comes up saying “Authentication Required”.
Before anyone can gain access to the WordPress login form, they first have to pass this second security check. See where I’m going with this?
They have to fill out a different username and password BEFORE they can access the normal login form. That means, in order to gain access to my admin panel, you have to know two different username and password combinations. This immediately doubles my security.
How to set up an htpasswd prompt in cPanel
This tutorial assumes that your host uses cPanel. Most do, but if you’re not sure you can ask your web host.
In my above example, I’ve actually protected the wp-login.php page because that’s what I prefer for my own site. But for the sake of creating a simpler tutorial to follow, we’re actually going to protect the entire /wp-admin/ directory. You’ll notice that the whole admin area has /wp-admin/ in the URL, so we’re basically protecting all those pages.
Because of this difference, the process will actually be reversed for you.
- First they get the WordPress login.
- After SUCCESSFULLY getting through that, they THEN get the htpasswd box.
- They cannot access the admin area until getting through the htpasswd prompt.
I prefer my method where the htpasswd box comes first and WordPress login comes second, but that involves protecting a file. If I’m being honest, I have no idea how to do a tutorial for that in cPanel. My site doesn’t use cPanel (I have a dedicated server and do everything through command prompt).
So in order to provide a tutorial that most people can follow (using cPanel) I have to use a different method.
But ultimately we’re offering the same protection—it’s just happening in a different order.
Step #1: Login to cPanel
Login to cPanel with your web host. Scroll down and look for the section called “Security”. Then click the icon named Password Protect Directories.
Step #2: Choose the directory
As soon as you click that icon, you’ll get a popup box that looks like this:
Select Web Root and click Go.
You will be brought to a new page that lists the directories in your root. You want to choose wp-admin.
Step #3: Set your username and password
Finally, you will be brought to this next page:
There are a few things you need to do:
- Check the box to “Password protect this directory”.
- Enter a name. This can be anything. It’s just a message that appears in the prompt.
- Create a new user: set a username and password. This is what you will need to enter in the login prompt each time. Be sure to save these details in 1Password or LastPass so you don’t forget them!
Save all your changes once you’ve filled them out.
Step #4: Test it!
Once you’re done, the protection should be in place. Visit http://yoursite.com/wp-admin to confirm. The prompt should come up! Now you’ve got an extra layer of protection. GO YOU!