Tutorial – Lock down WordPress login (wp-login.php)

If you are the only WordPress Login user, to reduce hacking surface area, it is possible to lock down WordPress login.

Method 1 – limit to fixed IP(s)
Method 2 – use additional Password to protect WordPress login page

[Method 1]
If you have fixed broadband IP, you may simply limit wp-login.php to your fixed broadband IP only. It can prevent from brute-force attack.

Login to FTP, goto your website folder, you shall have a .htaccess, probably with the following content –

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /wordpress/
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /wordpress/index.php [L]
</IfModule>

# END WordPress

Now, you shall add (not overwrite) the following contents into .htaccess, whereas replace 1.1.1.1 with your fixed broadband IP.

<Files wp-login.php>
deny from all
allow from 1.1.1.1
</Files>

Then, you can –
1. test login (test with your fixed broadband IP), and
2. use other device (i.e.other network, other source IP) to login WordPress. (it shall display Forbidden)

To check your broadband IP, you may visit http://www.whatismyip.com

ref.: https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html

 

[Method 2]
If you do not have fixed broadband IP (i.e. dynamic IP), you may use an additional password to protect wp-login.php

We may use Password Protected to add an extra layer to protect WordPress login page.

You may use htpasswd-generator to generate a file.  Input a username (e.g. peter) and password (e.g. apple), you shall get the following similar stuff

peter:$apr1$QJxjyiOr$dCIb8./P.PFbxe??????u/

Create a file .htpasswd, copy and paste your newly generated password string into .htpasswd

Login to FTP, goto your website folder, you shall have a .htaccess, probably with the following content –

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /wordpress/
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /wordpress/index.php [L]
</IfModule>

# END WordPress

Now, you shall add (not overwrite) the following contents into .htaccess

(Remember to update AuthUserFile to a right path of the file .htpasswd)

# Deny .ht* access
<Files ~ “^\.ht”>
Order allow,deny
Deny from all
</Files>

# Protect wp-login.php
<Files wp-login.php>
AuthUserFile /home/someUser/somePath/.htpasswd
AuthName “Restricted Access”
AuthType Basic
require valid-user
</Files>

Then, when you visit http://www.YourDomain.com/login , it shall show the password login prompt, as below –

tutoral_password_protected_login

Notes:

  • The above method requires the web host support .htaccess with FileInfo and privilege assigned.
    (For shared hosting, these shall usually be assigned)

Pin It on Pinterest

Share This