Dec
Dec

WordPress Security – Adding Additional Protection to Your Login Page

wordpress-security-smI recently found myself right in the crosshairs of a brute force attack on a couple of my WordPress sites by someone who was adamantly trying to login. I wasn’t really all that worried – I’ve made sure to follow my own advice regarding security.

But it was annoying.

The login attempts were coming from all kinds of different IP addresses, and all kinds of locations, and they kept trying the same set of usernames over and over again. And even though I’ve followed what I believe to be best practices and using security tools like CloudFlare and WordFence the attempts just kept coming.

I’ve got a lot of work to do, and the notifications were steadily flooding my inbox. Hundreds of them. Even though I could simply turn off the notice that the malicious attempt was blocked, that wasn’t enough for me. I wanted it stopped.

As always, there is more than one way to solve the problem, but I wanted something simple that wouldn’t require another plugin.

I found lots of different approaches and methods – like changing the path to the login.php page, various plugins, and restricting access to allow it only from specific IP addresses, among others.

However, I needed something that would enable me to work on my site wherever I have an internet connection, and most of those either weren’t quite what I was looking for, weren’t necessarily the best practice, were too restrictive, or some combination of those things.

private-accessI found this one on the main WordPress site here. This was the perfect solution and it works like a charm.

The thought process here is I want to add another layer of protection by password-protecting the login page. In order to add this additional layer of security to my site I needed to create a new document called .htpasswd.

You can use this tool here to generate the the encrypted password for your .htpasswd file. I’d recommend to create a different username and password than what you normally use for your WordPress login, and don’t use admin as your username for either one.

I created a new file, named it .htpasswd, uploaded it to a non-public directory, which is a different directory than where my .htaccess file lives in the regular web root, and made sure the file permissions were set correctly so there wouldn’t be any security issues.

Once that file was created, there was an addition that needed to be made to my .htaccess to update a couple things and map where it needs to look for the authentication file.

Here is what needs to be added to the .htaccess. (Always make sure you’ve got a backup copy of your file before you make changes.)

# Stop Apache from serving .ht* files
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>

# Locking down the wp-login.php page
<Files wp-login.php>
AuthUserFile ~/.htpasswd // this is where you'll need to make sure you've got your path set correctly to your encrypted user password file.
AuthName "Restricted access"
AuthType Basic
require user youruser // this is where you place your separate username to gain access to the login page

</Files>

After you’ve added those changes to your .htpasswd file. Enter your new username and password and then submit. Then once authenticated, you should then be brought to your wp-login.php page where you can enter your WordPress username and password.

The good thing is that the attempts to break in to my sites were never successful, and my site never had any problems at all. Performance was solid before, during and after. Most importantly everything was safe and secure.

There are other options to lock up your WordPress site, but this did the trick for me. The attempts ceased as soon as I implemented this solution. Not a single attempt since.

See Also:

Homepage Web Design: How Do You Design a Good Homepage?

May

"How do you design a good homepage? In order to create the best homepage you can, you have to understand that it’s a little bit “art” and and a little bit “science.” To create the best homepage web design you first have to define your priorities and align them with your target audience. You have […]"

Keep Reading...

6 Reasons Why You SHOULD Hire a Website Designer in 2020

Aug

"A while back I had someone contact me about rebuilding her website. She had been using a site builder, and a bunch of plugins, but realized that she’d just outgrown what she was capable of doing and was frustrated. “I’m not a designer, I’m not a developer,” she said. “I know this isn’t working for […]"

Keep Reading...

Why do blogs fail?

Jun

"When you start a blog it’s easy to make mistakes. The important thing is to not get derailed by them, and to learn from the mistakes others have made before you so you don’t have to repeat them. Blogs fail for a few reasons: Unrealistic Expectations This one is a double-edged sword because on one […]"

Keep Reading...

Can you build a membership site with ClickFunnels?

Jan

"One of its greatest features is its ability to quickly and easily create membership site – from simple to complex. Think about it this way: You want to build a membership site for your program but you’re concerned that you need to create multiple different pages and access levels because you want to offer different […]"

Keep Reading...

Answered: Your Most Burning Questions About Starting Your First Website With WordPress

May

"Remember the Konami cheat code? Up, up, down, down, left, right, left, right, B, A. That code was the golden ring for gamers. It unlocked untold riches in the gaming world – “god” mode, virtually limitless power-ups, or an endless supply of ammunition to make your way through to the end. The cheat code offered […]"

Keep Reading...

How to Set up and Manage Multiple Gmail Accounts

Mar

"Manage Multiple Gmail Accounts Getting set up with Gmail is a simple process and can be done in under 10 minutes. There are numerous benefits to using Gmail to handle your email that include, web accessibility and being able to access your account from multiple locations and keep your inbox intact. But did you know […]"

Keep Reading...

The Quick and Dirty Guide to Launching Your Own Website

Sep

"Building your own website is an absolutely essential step all budding entrepreneurs, soloprenuers, bloggers, artists, etc. need to take to build their platform. But you knew that already. What you may not know is that you can do it quickly, relatively painlessly, and be up and running in no time at all. If you’re looking to get […]"

Keep Reading...

Do I need any special software to start a blog?

Jun

"To start a blog you only need a few things: A solid internet connection A decent computer or laptop A blogging software platform – self-hosted WordPress is recommended A writing tool There isn’t a lot you need to start a blog, but there are a few essentials. It should go without saying that you’ve got […]"

Keep Reading...

Can ClickFunnels replace your website?

Mar

"It is a long established fact that a reader will be distracted by the readable content of a page when looking at its layout. The point of using Lorem Ipsum is that it has a more-or-less normal distribution of letters, as opposed to using 'Content here, content here', making it look like readable English. "

Keep Reading...

Three Factors Affecting The Cost of Every Website Project

Sep

"Every new website has its own challenges but there are three factors that are part of every web development project and how much it costs. Complexity – The deeper the functionality, the higher the cost When I talk about complexity what I mean is it’s really a matter of the different things you need to be […]"

Keep Reading...

Join The
Conversation

Leave a Reply

Your email address will not be published.

Name (required)