Knowledgebase: How To
How to Protect WordPress Admin
Posted by Joe Rebis on 21 February 2014 03:06 PM

You can add an additional layer of security to your WordPress Admin Area by applying password protection. 

To your WordPress Admin area you can add an additional layer of password protection to the login page. It is not advisable to attempt to apply top the whole "wp-admin" folder as some plugins and other WP features may use AJAX to speak to that directory which will cause a password prompt over your website.

These instructions apply to Windows Based Shared Hosting plans at EPhost. However, the technique can be applied, with modification, to any web server environment supporting .HTACCESS files.

1) Create a directory called "testpass" using FTP or the file manager in the CP.

2) Use the CP to edit your website and select the .HTACCESS tab on the details screen. You many need to "Enable Helicon Ape".

3) At the bottom, click "Add User" and follow the on screen instructions to create a user. For Auth Type select "Basic" and for Encryption select "Apache MD5". 

4) Click the "Add .HTACCESS Folder" button. Put your mouse in the "Folder Path" field and use the tree menu to select the folder you created in STEP one. Click "Update" with no other changes.

5) Your folder will appear in in the list of protected folders. Click the "Shield Icon" to the right and in AuthName enter PROTECTED. Under AuthType select "Basic", ignore the field with "# Helicon Ape", and click the box next to the user you created in step 4. Click "Update".

6) Click on the directory NAME of your folder in the list of protected folders. Use your mouse to copy all of the text in the box. It will look like the following. 

AuthName "PROTECTED"
AuthTypeBasic
AuthBasicProvider file
AuthUserFile c:\HostingSpaces\YourCompany\Your-Domain.com\wwwroot\.htpasswds
AuthGroupFile c:\HostingSpaces\YourCompany\Your-Domain.com\wwwroot\.htgroups
Require user johnsmith

7) Paste into your favorite text or HTML editor. e.g. Notepad or TextEdit and make it look like the following - nested inside the <files> tag. Be sure to include the RewriteEngine On part just in case.

RewriteEngine on

<FilesMatch "^wp-login\.php$">
AuthName "PROTECTED"
AuthTypeBasic
AuthBasicProvider file
AuthUserFile c:\HostingSpaces\YourCompany\Your-Domain.com\wwwroot\.htpasswds
AuthGroupFile c:\HostingSpaces\YourCompany\Your-Domain.com\wwwroot\.htgroups
Require user johnsmith
</FilesMatch>

8) In the CP, look at the lsit of files and see if you have one called "\" (backslash). If not, use the  "Add .HTACCESS Folder" button again to and your mouse in the "Folder Path" field and use the tree menu to select "Root Folder". Click "Update".

9) Click on the "\" folder NAME and edit the large text box to place the code in Step 8 at the bottom of the large text box under "# Helicon Ape". Click "update".

10) Test your modifications by logging into WP or by visiting pages on your site that should NOT be protected.

The proceedure above only adds extra layer of authentication and doesn't necessarily stop brute force login attemps. For additional security see the links below.

http://codex.wordpress.org/Brute_Force_Attacks
http://www.frameloss.org/2011/07/29/stopping-brute-force-logins-against-wordpress/
http://www.frameloss.org/2013/04/26/even-easier-brute-force-login-protection-for-wordpress/

(1 vote(s))
Helpful
Not helpful

Comments (0)
Post a new comment
 
 
Full Name:
Email:
Comments:
CAPTCHA Verification 
 
Please enter the text you see in the image into the textbox below (we use this to prevent automated submissions).

Copyright © 2015 EPhost, Inc. All rights reserved.