This article follows numerous hacking and brute force attacks targeting WordPress sites. While we recommend installing the Limit Login Attempts plugin, in some cases, attacks are launched from very large botnets, and this module is not powerful enough to block all IP addresses.
Here we show you how to add a second layer of authentication to your WordPress site, thereby preventing malicious requests from reaching it. The goal is to implement two-factor authentication on the wp-admin folder and the wp-login.php authentication page; we will do this using .htaccess files.
Once you have completed these steps, you will see a new pop-up asking for a password before you reach the login page:
Note: The PlanetHoster Glossary contains explanations on multiple topics and can be consulted to clarify certain terms.
Procedure
Creating the passwd File
First, you need to create a passwd file that will contain your login and password. It is recommended that you use a username that is completely different from your WordPress username.
Here, we will place this file outside of public_html, specifically in this location:
/home/comptecp/.htpasswds
To create htaccess .htpasswd files, we recommend the website https://www.askapache.com/online-tools/htpasswd-generator/. It should look like this:
test:$apr1$hXJoJMrD$Ax/zRnRrOkMD4Niw2N8yH1
Two-Factor Authentication for the wp-admin Folder
Once you have created this file containing the login and password, you will need to create an .htaccess file in the /wp-admin folder (/home/comptecp/public_html/wp-admin/.htaccess).
This file will contain the following lines:
ErrorDocument 401 default AuthType Basic AuthName "Double Authentification PlanetHoster" AuthUserFile /home/comptecp/.htpasswds require valid-user
Once you have done all this, you will now have a second password required to access your wp-admin, thereby reducing malicious login attempts via this route.
Two-Factor Authentication for the wp-login page
To secure the xmlrpc and wplogin pages, you will need to edit the .htaccess file at the root of your hosting and add the following lines before the “#Begin wordpress” section:
ErrorDocument 401 default <FilesMatch "^((wp-login)\.php|(xmlrpc)\.php)$"> AuthName "Double Authentification PlanetHoster" AuthType Basic AuthUserFile /home/comptecp/.htpasswds Require valid-user </FilesMatch>
XML-RPC stands for “XML remote procedure call.” It is actually a component that allows other applications to connect to WordPress and perform operations on it.