In previous post, I mentioned a security tip called “Password Protect WordPress Admin Directory (wp-admin) for Enhanced Security“. Beside http://your-url/wp-admin, there is another login link to your site, which is http://your-url/wp-login.php. Matter of fact, http://your-url/wp-admin still requires access to file wp-login.php, a file seating outside wp-admin folder. It makes sense to extend password protection strategy to wp-login.php as well.
On some sites, password protecting wp-admin folder can break plugins that use Ajax on the front end. Password protecting wp-login.php becomes an alternative solution.
Applying same Apache authentication rule, we add following code to .htaccess file in website root directory. (Normally, /public_html/).
# Password Protect wp-login.php AuthUserFile "/path/to/your/directory/.htpasswd" AuthType Basic AuthName "Open Sesame" Require valid-user
For security purpose, I strongly recommend to save .htpasswd file to a separate folder other than the same directory as the .htaccess file. For example, if the website is located at “/home/user/public_html/”, it is much safer to keep the .htpasswd at “/home/user/.htpasswds/publich_html/”.
Again, for ease of use, if you want to exclude your very own developing machine (including other trusted users) from being asked for password on every visit, add the IP address to trusted list. The code in .htaccess now becomes
# Password Protect wp-login.php Order deny,allow Deny from all AuthUserFile "/path/to/your/directory/.htpasswd" AuthType Basic AuthName "Open Sesame" Require valid-user Allow from XXX.XXX.XXX.XXX Satisfy Any