Thursday 21 Nov 2013

Protect WordPress administration

Sites based on all-made products, as WordPress, have the disadvantage that the hackers know where is the administration and the URL to connect to it.

Having read a few articles on how to protect his administration that I have not found satisfactory, this is my method which is based on a password.


The articles I have read were all based on an IP address which prevents you from connecting away from home or allows too many people for IP range.

So you will have two passwords to enter: the one of this .htaccess and the usual one of the WordPress login page. They can be the same or the first can be simple and of course stored in your browser: these are robots who are trying to connect automatically, so the first password will block them because they are not designed to deal with it, even very simple. ;-)

Also, I protect only the wp-login.php file, so if you are already logged in and the cookie is still there, the double password will not be required. Here's the code to add in your .htaccess file:

<Files wp-login.php>
    AuthType Basic
    AuthUserFile /var/www/[your real path]/.htpass
    AuthName "Administration"
    <Limit GET POST>
    require valid-user


You must then create a .htpass file with your credentials, or reuse one from another site. (The syntax is [user]:[password encrypted in MD5]...)

cafĂ© Did this article help you? 
Buy me a coffee!

Leave a comment (all comments are moderated, don't waste time with spam)

Azure Dev