Following the numerous hack/bruteforce attacks aiming at hacking the WordPress, we advise you to install the extension Limit Login Attemps,
However in some cases the attacks being launched from very large botnet, this module is not efficient enough and can not block all IPs. For this reason, we will show you how to add a second authentication to your wordpress, thus preventing malicious requests from reaching your wordpress. Once you’ve done this, you’ll get a new pop-up asking for a password before you get to the login page:
The purpose of this tutorial is to make a double authentication on the wp-admin folder and the wp-login.php authentication page; we will do this with the .htaccess files
First of all you have to create a passwd file which will contain your login and password, I recommend you to use a totally different user than your WordPress one.
In my case I will put this file outside the public_html at this place
For that I recommend this site: https://www.askapache.com/online-tools/htpasswd-generator/ , it should look like this;
Once this file contains the login and password, you will have to create a .htaccess file in the /wp-admin folder (/home/comptecp/public_html/wp-admin/.htaccess)
This file will contain these different lines,
ErrorDocument 401 default AuthType Basic AuthName "Double Authentification PlanetHoster" AuthUserFile /home/comptecp/.htpasswds require valid-user
Once all this is done, you will now have a second password needed to access your wp-admin, thus reducing malicious login attempts through this avenue.
To secure the xmlrpc and wplogin pages, you will need to edit the .htaccess at the root of your hosting instead and add the following lines before the “#Begin wordpress” section
ErrorDocument 401 default <FilesMatch "^((wp-login)\.php|(xmlrpc)\.php)$"> AuthName "Double Authentification PlanetHoster" AuthType Basic AuthUserFile /home/comptecp/.htpasswds Require valid-user </FilesMatch>