Everyone knows WordPress well type http://URL/wp-admin for login, so does hacker. Other than using stronger password, there is another way to protect yourself. That is “password protect admin directory”. It adds and additional level of security, works somewhat like two-step authentication. This can be very easy to implement and effective for website with handful of users.
There are two ways to password protect a directory.
Using cPanel Interface
Step 1: In cPanel, open “password protected directories” in security section
Step 2: Select your website directory.
Step 3: Select wp-admin folder.
Step 4: Now check Password protect this directory and Name the protected directory something like “Protected Admin Panel”. Create username and (a strong) password for wp-admin directory, then click Save.
That’s it. Now clear browser cache and open wp-admin page, you should be prompted with a pop-up box asking for username & password before you can get to the familiar WordPress wp-admin login interface.
Password Protect Directory using .HTACCESS (the Manual method)
What we did using cPanel is activating the directory protection by creating following content in the .HTACCESS file in the specific directory (wp-admin).
AuthName "Protected Admin Panel" AuthType Basic AuthUserFile /path/to/your/directory/.htpasswd AuthGroupFile /dev/null require valid-user
.htpasswd is the file that stores username & encrypted password for the password protected directory. For security purpose, cPanel app put this file out of the regular public_html folder. Instead of
/home/username/public_html/wp-admin
you should find this line in the .HTACCESS file
/home/username/.htpasswds/public_html/wp-admin/passwd
There are quite a few ways to create / add user & encrypted password to the password file. You can either using online version Htpasswd Generater, or Linux command line.
Apparently, this added security can be troublesome for you, the developer and site owner. To exclude trusted users from the extra layer of security, I normally add their machine’s IP address to trusted list. Now let’s edit the .HTACCESS file as following:
AuthName "Protected Admin Panel" AuthType Basic AuthUserFile /path/to/your/directory/.htpasswd AuthGroupFile /dev/null require valid-userOrder deny,allow Deny from all Allow from XXX.XXX.XXX.XXX Satisfy Any
You may also want to add following code to it, in case the “Password Protected” wp-admin security measure breaks the Ajax functionality in some themes or plugins that use ajax in the front-end.
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>