Knowledgebase: How To
How to Protect WordPress Admin Windows Hosted Account
Posted by William Burdine on 07 October 2017 04:51 PM

 

You can add an additional layer of security to your WordPress Admin Area by applying password protection. 

Creating password protected access to your WordPress Admin area can add an additional layer of protection to the login page. It is not advisable to attempt to apply top the whole "wp-admin" folder as some plugins and other WP features may use AJAX to speak to that directory which will cause a password prompt over your website.

 

Windows Hosting Plans

1) Login to your EPHost account

2) Click on the green 'Control Panel' button

3) Click on the 'File Manager' icon (NOTE: if you have multiple websites/domains go to the one you wish to work with), go in to the "\wwroot" folder

4) Create a directory (ex. 'testpass') using FTP or the file manager in the Control Panel.

5) Use the Control Panel (on the left) Click on 'Web Sites', then select the website/domain you wish to work with

6) Click on the website and select the .HTACCESS tab on the details screen.  (NOTE: You many need to "Enable Helicon Ape", if not enabled)

7) At the bottom, click "Add User" and follow the on screen instructions to create a user. (ex 'johnsmith')

8) For Auth Type select "Basic" and for Encryption select "Apache MD5".

9) Enter Password and confirm

10) Click 'Update'

11) Click the 'Add .HTACCESS Folder' button. Put your mouse in the "Folder Path" field and use the tree menu to select the folder you created in STEP one. Click "Update" with no other changes. [NOTE: ignore the field with "# Helicon Ape"]

Your folder will appear in in the list of protected folders. Click the "Shield Icon"

12) In AuthName box enter "PROTECTED"

13) Under AuthType select "Basic", and click the box next to the user you created above

14) Click "Update"

15) In the section ".htaccess Folders", Click on the directory NAME of your folder in the list of protected folders. Use your mouse to copy all of the text in the box. It will look like the following. 

# Helicon Ape

AuthName "PROTECTED"
AuthType Basic
AuthBasicProvider file
AuthUserFile c:\HostingSpaces\YourCompany\Your-Domain.com\wwwroot\.htpasswds
AuthGroupFile c:\HostingSpaces\YourCompany\Your-Domain.com\wwwroot\.htgroups
Require user johnsmith password

16) Paste into your favorite text or HTML editor. e.g. Notepad or TextEdit and make it look like the following - nested inside the <files> tag. Be sure to include the RewriteEngine On part just in case.

# Helicon Ape

RewriteEngine on

<FilesMatch "^wp-login\.php$">
   AuthName "PROTECTED"
   AuthType Basic
   AuthBasicProvider file
   AuthUserFile c:\HostingSpaces\YourCompany\Your-Domain.com\wwwroot\.htpasswds
   AuthGroupFile c:\HostingSpaces\YourCompany\Your-Domain.com\wwwroot\.htgroups
   Require user johnsmith password
</FilesMatch>

17) Click 'Update'

18) In the Control Panel, look at the list of files and see if you have one called "\" (backslash). If not, use the  "Add .HTACCESS Folder" button again to and your mouse in the "Folder Path" field and use the tree menu to select "Root Folder". Click "Update".

19) Click on the "\" folder NAME and edit the large text box to place the code in Step 8 at the bottom of the large text box under "# Helicon Ape". Click "update".

# Helicon Ape

AuthName "PROTECTED"
AuthType Basic
AuthBasicProvider file
AuthUserFile c:\HostingSpaces\YourCompany\Your-Domain.com\wwwroot\.htpasswds
AuthGroupFile c:\HostingSpaces\YourCompany\Your-Domain.com\wwwroot\.htgroups
Require user johnsmith password

 

Test your modifications by logging into WP or by visiting pages on your site that should NOT be protected, then the new place where you added protection.

The procedure above only adds extra layer of authentication and doesn't necessarily stop brute force login attempts. For additional security see the links below.

 

TROUBLESHOOTING

IF YOU GET SERVER ERROR 5xx - Two possible things can be the issue, the drive letter or the path

FIRST you'll want to check your path, if you entered the code exactly as above, that is the issue. You need to enter YOUR INFORMATION for the [\YourCompany] otherwise known as your account name found in your control panel AND/OR did you enter YOUR Domain where it says [\Your-Domain.com]?

If these are correct and you are still getting an ERROR 5xx, they you'll want to change the Drive letter from "C:" to "D:"

If you are still experiencing issues, please contact support.

 

REFERENCE

http://codex.wordpress.org/Brute_Force_Attacks
http://www.frameloss.org/2011/07/29/stopping-brute-force-logins-against-wordpress/
http://www.frameloss.org/2013/04/26/even-easier-brute-force-login-protection-for-wordpress/ 

 

Also See: WordPress KB's | Domain/DNS KB'sHOW TO KB'sEmail Settings POP3 / IMAP | Check email online | Email Troubleshooting | Adding an email to your hosting account WINDOWS / LINUX

Contact Support

If you are still having issues, please contact us for further help.
1-877-EPHOST1 | support@ephost.com

 

 

(0 vote(s))
Helpful
Not helpful

Comments (0)
Post a new comment
 
 
Full Name:
Email:
Comments:
CAPTCHA Verification 
 
Please enter the text you see in the image into the textbox below (we use this to prevent automated submissions).

Copyright © 2015 EPhost, Inc. All rights reserved.