Knowledgebase Home / Password Protect wp-login.php Against Brute Force Login Attempts

Password Protect wp-login.php Against Brute Force Login Attempts

Quick Steps:

  • First, create an .htpasswd file.
  • Edit .htccess to restrict wp-login access to only username and passwords defined in .htpasswd file.
  • Flush your browser cache.

You can utilize .htaccess rules to password protect your wp-login.php file from brute force login attempts. The process will require an additional layer of security (additional username & password) in order to access the WordPress login.

Step 1.

In your cPanel file browser, navigate to the top level “home” directory. You’ll want to create a file called .htpasswd (dot htpasswd). Inside of this file, you will need to put a basic username & password in the format like so:  username:password  (be sure to put the : between the username & password)

Step 2.

Next, you will want to navigate to your public_html directory, or the directory where your WordPress installation is located. This will be the same directory where your wp-login.php file is located. Locate the file named .htaccess and click Code Edit. If you cannot file the .htaccess file, you will need to click the “Settings” button in the top right corner of the File Manager. Next, select Show Hidden Files and save, as shown by the location of the cursor in this image:

Showing hidden files

This will make the .htaccess file visible. You will want to add the lines below to your .htaccess file.

#Protect WP Login
 ErrorDocument 401 "Unauthorized Access"
 ErrorDocument 403 "Forbidden"
 <FilesMatch "wp-login.php">
 AuthName "Authorized Access Only"
 AuthType Basic
 AuthUserFile /home/.htpasswd
 require valid-user
 </FilesMatch>

You can now save your htaccess file with the code shown above. Now, when you browse to your wp-admin or wp-login, you will be prompted for a username & password. Please note, this method is not meant to be a high level of security in regards to the username & password being located in plaint text inside of a file – the purpose of this method is to simply prevent bots & users from being able to directly access the WordPress login form.

Lastly, should you have any questions, always feel free to get in touch with our support department.

If the steps above listed in this article do not resolve your issue, please feel free to open a support ticket and we’d be happy to take a look.

Our Guiding Principles

  • Provide consistent, stable and reliable web hosting services.
  • Ensure rapid ticket response and quick resolutions to issues.
  • Never saturate or over-provision servers to ensure stability and speed for our customers.
  • Use only high quality enterprise-class hardware to ensure minimal downtime from hardware failures.
  • Provide clear pricing with no hidden fees or gotchas.