1. Home
  2. Technical Advice
  3. Protecting your WordPress with double authentication via htaccess

Protecting your WordPress with double authentication via htaccess

Hello everyone,

Following the numerous hack/bruteforce attacks aiming at hacking the WordPress, we advise you to install the extension Limit Login Attemps,

However in some cases the attacks being launched from very large botnet, this module is not efficient enough and can not block all IPs. For this reason, we will show you how to add a second authentication to your wordpress, thus preventing malicious requests from reaching your wordpress. Once you’ve done this, you’ll get a new pop-up asking for a password before you get to the login page:



The purpose of this tutorial is to make a double authentication on the wp-admin folder and the wp-login.php authentication page; we will do this with the .htaccess files



First of all you have to create a passwd file which will contain your login and password, I recommend you to use a totally different user than your WordPress one.

In my case I will put this file outside the public_html at this place

/home/comptecp/.htpasswds

For that I recommend this site: https://www.askapache.com/online-tools/htpasswd-generator/ , it should look like this;

test:$apr1$hXJoJMrD$Ax/zRnRrOkMD4Niw2N8yH1

Once this file contains the login and password, you will have to create a .htaccess file in the /wp-admin folder (/home/comptecp/public_html/wp-admin/.htaccess)

This file will contain these different lines,

ErrorDocument 401 default
AuthType Basic
AuthName "Double Authentification PlanetHoster"
AuthUserFile /home/comptecp/.htpasswds
require valid-user

Once all this is done, you will now have a second password needed to access your wp-admin, thus reducing malicious login attempts through this avenue.

To secure the xmlrpc and wplogin pages, you will need to edit the .htaccess at the root of your hosting instead and add the following lines before the “#Begin wordpress” section

ErrorDocument 401 default
<FilesMatch "^((wp-login)\.php|(xmlrpc)\.php)$">
AuthName "Double Authentification PlanetHoster"
AuthType Basic
AuthUserFile /home/comptecp/.htpasswds
Require valid-user
</FilesMatch>
Updated on 8 March 2022

Was this article helpful?

Related Articles