How to Password Protect the wp-login.php File

Protect your Wordpress Login page against Brute Force Attack.

There is a worldwide, highly-distributed WordPress attack that is ongoing. This attack is using forged or spoofed IP addresses to brute-force guess WordPress login passwords.
These attacks may slow down your site or server.

The following steps can be used to secure and prevent access to the wp-login.php file for all WordPress sites in your Panel Subscription (by password protection).

If you have multiple WordPress installations under the same httpdocs directory, this will protect them all

A: Generate Password File & Upload Via File Manager

One way to do this is to generate the file using the website linked below, and then upload it to your site via FTP or File Manager. In the directions below, we will use File Manager, but you could use FTP instead, for those of you familiar with FTP.

  1. Visit: http://www.htaccesstools.com/htpasswd-generator/
  2. Use the form to create the username and password.
  3. Login to Plesk Panel in another window or tab (https://<your-domain.com>:8443/).
  4. Click on WebSites&Domains->File Manager.
  5. Click on httpdocs.
  6. Look for a .wpadmin file.
    • If one exists, right click on it and select the pen icon (Edit  File) to open the editor. 
    • If one does not exist, click on Add New File at the top of the page, and specify the name as .wpadmin (with the dot at the front) and click on the Create a File button. Do NOT check "Use HTML template"
  7. Paste the code provided from the website htaccesstools.com in step 2.
  8. Click on OK button to save your changes  when complete.

Note: replace <your-domain.com> above with your real web site domain.


B: Create or Update the .htaccess File Via File Manager


The last step is to place the following code in the /home/username/.htaccess file:

ErrorDocument 401 "Unauthorized Access"
ErrorDocument 403 "Forbidden"
<FilesMatch "wp-login.php">
AuthName "Authorized Only"
AuthType Basic
AuthUserFile /var/www/vhosts/<your-domain.com>/httpdocs/.wpadmin
require valid-user
</FilesMatch>

Note: replace <your-domain.com> above with your real web site domain.




Properties ID: 000312   Views: 2844   Updated: 4 years ago
Filed under: