How to secure WordPress(wp-login/admin.php) with Basic Authentication

Published on:
Last updated:

This post is also available in: 日本語 (Japanese)

Wordpress hacking attacks were becoming badly especially this year.

By applying Basic authentication to admin.php and wp-login.php of wordpress, it is a simple but hacking of the site less likely to be.

If you have access to wp-login.php(wordpress login screen) by applying the Basic authentication, you will be prompted for a password and user name, as in the image.



There is a [Brute force attack] and [Dictionary attack] to the famous hacking method.

[Dictionary attack]to attack and dictionary of the anticipation of ID / PASS wordpress user is likely to use.
[Brute force attack] to attack to try to order a combination of string.

Safety is enhanced that is different from the wordpress ID/PASS of Basic authentication.

The plug-in [Simple Login Lockdown] is recommended as a counter to the [Brute force attack].
Please refer to the article [How to remove Simple Login Lockdown when you can not log in].

Apply the Basic authentication to wp-login.php/admin.php of wordpress

AuthUserFile    home/www/.htpasswd
AuthName    "Input UserName And Pass"
AuthType    Basic

<Files wp-login.php>
require valid-user
<FilesMatch "\/?wp-admin">
require valid-user
<Files wp-admin/admin-ajax.php>
Satisfy any
order allow,deny
allow from all

# Exclude the file upload and WP CRON scripts from authentication
<FilesMatch "(async-upload\.php|wp-cron\.php|xmlrpc\.php)$">
    Satisfy Any
    Order allow,deny
    Allow from all
    Deny from none

1.Create [.htaccess] file in the same directory as the wp-login.php

2.Copy and paste the above code.

3.Change the full path from the root directory the part of the [home/www/.htpasswd] of [AuthUserFile] to put [.htpasswd] file.

4.Create [.htpasswd] file in the location that you specify.

5.Tools link below, generate a UserName/PASS to be used when the Basic authentication.(PASS and UseName you like)

6.Paste to [.htpasswd] code that is generated.

7.To operation verification try to access management screen(wp-admin.php) and login screen(wp-login.php).

If the failure occurs, please remove the code that you copy and paste the above [.htaccess] file.

Reference site:
User:Hakre/Htaccess Auth Excludes « WordPress Codex

Kuniyoshi Takemoto is the founder of LLC, and editor of this blog( more and follow me on LinkedIn.