Dec
Dec

WordPress Security – Adding Additional Protection to Your Login Page

wordpress-security-smI recently found myself right in the crosshairs of a brute force attack on a couple of my WordPress sites by someone who was adamantly trying to login. I wasn’t really all that worried – I’ve made sure to follow my own advice regarding security.

But it was annoying.

The login attempts were coming from all kinds of different IP addresses, and all kinds of locations, and they kept trying the same set of usernames over and over again. And even though I’ve followed what I believe to be best practices and using security tools like CloudFlare and WordFence the attempts just kept coming.

I’ve got a lot of work to do, and the notifications were steadily flooding my inbox. Hundreds of them. Even though I could simply turn off the notice that the malicious attempt was blocked, that wasn’t enough for me. I wanted it stopped.

As always, there is more than one way to solve the problem, but I wanted something simple that wouldn’t require another plugin.

I found lots of different approaches and methods – like changing the path to the login.php page, various plugins, and restricting access to allow it only from specific IP addresses, among others.

However, I needed something that would enable me to work on my site wherever I have an internet connection, and most of those either weren’t quite what I was looking for, weren’t necessarily the best practice, were too restrictive, or some combination of those things.

private-accessI found this one on the main WordPress site here. This was the perfect solution and it works like a charm.

The thought process here is I want to add another layer of protection by password-protecting the login page. In order to add this additional layer of security to my site I needed to create a new document called .htpasswd.

You can use this tool here to generate the the encrypted password for your .htpasswd file. I’d recommend to create a different username and password than what you normally use for your WordPress login, and don’t use admin as your username for either one.

I created a new file, named it .htpasswd, uploaded it to a non-public directory, which is a different directory than where my .htaccess file lives in the regular web root, and made sure the file permissions were set correctly so there wouldn’t be any security issues.

Once that file was created, there was an addition that needed to be made to my .htaccess to update a couple things and map where it needs to look for the authentication file.

Here is what needs to be added to the .htaccess. (Always make sure you’ve got a backup copy of your file before you make changes.)

# Stop Apache from serving .ht* files
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>

# Locking down the wp-login.php page
<Files wp-login.php>
AuthUserFile ~/.htpasswd // this is where you'll need to make sure you've got your path set correctly to your encrypted user password file.
AuthName "Restricted access"
AuthType Basic
require user youruser // this is where you place your separate username to gain access to the login page

</Files>

After you’ve added those changes to your live site, check your WordPress log-in page and you should be prompted for the new username and password you created in your .htpasswd file. Enter your new username and password and then submit. Then once authenticated, you should then be brought to your wp-login.php page where you can enter your WordPress username and password.

The good thing is that the attempts to break in to my sites were never successful, and my site never had any problems at all. Performance was solid before, during and after. Most importantly everything was safe and secure.

There are other options to lock up your WordPress site, but this did the trick for me. The attempts ceased as soon as I implemented this solution. Not a single attempt since.

See Also:

Why do I need a sales funnel for my online business?

Jan

"Here’s the deal: An online sales funnels is like having the very best salesman you can imagine working for you online 24/7. It doesn’t ask for vacations or raises. It doesn’t call in sick. It’s simply working around the clock, 24/7 365 days a year to win customers for your business. And online sales funnels […]"

Keep Reading...

Does it cost money to start a blog?

Jul

"This question is really similar to the last one, but I want to give it its own answer because it approaches the subject a little differently. The short answer is no, it doesn’t cost anything to start a blog. But here’s the deal: When you’re focused on doing things for “free” you’re focused on the […]"

Keep Reading...

How to choose your blogging platform

Jun

"There are a lot of choices when it comes to the platform you want to use for your new blog. But I’m only going to recommend one: WordPress. A self-hosted WordPress blog is the right choice here. I’m not talking about starting on wordpress.com and doing things there. I’m talking about having your very own […]"

Keep Reading...

ClickFunnels For Dummies – From Newb To Expert

Mar

"‘ClickFunnels for dummies’ is what you search for when you just need to get to the bottom of things. Just like the book series that goes by the same name, the idea is to do away with the fluff and boil down to the basics you need to understand on the topic. And that’s exactly […]"

Keep Reading...

How To Generate Leads For Your Cleaning Business

Feb

"Looking for answers on how to generate leads for your cleaning business? I’ve got you covered. What I’m going to show you today is how to get clients for your cleaning business in ways your competition hasn’t even thought about. If your business is going to survive and even thrive you have to have a […]"

Keep Reading...

Setting up Google Analytics & Search Console | How To Make A WordPress Blog Step-by-Step 2020

Mar

" Feeling like you don’t know what’s going on with your website is a terrible feeling. The problem is you don’t have any idea about what’s going on and whether or not any of your creative efforts are generating results – or not. And if they’re not generating results, then what are we all doing […]"

Keep Reading...

Buying Premium Domains

Sep

"Sometimes the domain name you choose is already registered, as mentioned previously. However, don’t let that stop you. Buying your domain name from someone else is a great way to get that perfect domain you’re searching for, but wasn’t available for registration on Godaddy. Premium domains are those that show up with those big price […]"

Keep Reading...

How To Set Up Your MailChimp Account | How To Make A WordPress Blog Step-by-Step 2020

Mar

"Looking for help on how to set up your Mailchimp account? I’ve got you covered. One of the things that I’ve heard over and over again from successful digital marketers is how they wish they’d started building their list earlier. The importance of building your audience and building your email list cannot be overestimated. It’s […]"

Keep Reading...

How often should I post to my blog?

Jun

"You should publish new posts to your blog as often as you can. If you’re someone who thrives on schedules and formality, at least once a week is a good baseline to start with. But that’s the bare minimum. Remember, you’re practicing when you’re getting started. So the more practice you get the faster you’re […]"

Keep Reading...

How Do I Start a Blog for Free?

Jul

"How do I start a blog for free? If you want to start a blog for free, you should know that there are virtually limitless resources available to you. You don’t have to spend money to start blogging – not all blogs require startup costs or fees. You can start a blog for free online […]"

Keep Reading...

Join The
Conversation

Leave a Reply

Your email address will not be published.

Name (required)