Password Protect Login Page With HTTP Authentication: There are 60 million WordPress websites which makes it the most popular websites building platform in the world. But there is a price to this popularity. Some 90,978 hack attempts are made on WordPress site every single minute of the day. While there are various methods that hackers employ to break into a website, one very popular and widely used one is called a brute force attack. In this type of attacks, hackers program bots to try and guess your login in credentials correctly which is why you must protect your WordPress login page.
In a previous post about login protection, we discussed coming up with a unique username and enforcing strong password. It’s an effective way of keeping the hacker bots out of your site, but when it comes to security, there is no absolute guarantee that a site will remain safe. The internet has never been a very safe place, and no amount of security is ever enough. Therefore it’s good to have many layers of protection for your site. While a unique username and password are important, locking the login page is also a significant step towards security. One way of doing it is to password protect the login page with HTTP authentication. In this post, we’ll show you how you can achieve that.
What is HTTP Authentication?
HTTP Authentication or HTTP Basic Authentication (BA) is a technique of enforcing restrictive access to the login page. To draw a simple analogy, think of a website as a house. The main door is the login page. People may try to break into the house which is why you have to have a strong lock in place. The lock stands for login credentials, Beyond the main door, there is a fence that provides extra protection to the house. In a similar manner, HTTP Authentication provides a layer of extra protection to your house. This means anyone who wants to access the login page will first have to first go through the HTTP authentication (the fence) and the login credentials (main gate).
How to Password Protect Login Page With HTTP Authentication
To secure your WordPress site with HTTP authentication the first thing that you need to do is generate a .htpasswd file. And then you’ll need to inform the .htaccess file of your website about the location of the .htpasswd file. And that’ll lock down your login page.
How to Create a .htpasswd File?
In this particular file, you will store usernames and passwords of people you want to access in the login page. Essentially it’s like having a gate to the fence that surrounds your house. You can give keys to the gate to only people you’d want to have access to your site. Let’s find out how you can create a .htpasswd file.
To create a new .htpasswd file, you need to use a .htpasswd command line tool. There are several tools available online. When you find one that you’d want to use, open it and in the command line, write the following code:
htpasswd -c .htpasswd harini
In this command line, c stands for create and harini is the username that we choose. After typing this code out, when you hit enter, you’ll be prompted to create a password that’ll be unique to this username. Don’t worry; your password will be encrypted.
But if you already have a .htpasswd file, then all you need to do is add a new username and password. You can do it by writing down the following command line:
htpasswd .htpasswd rahul
Notice how we didn’t use -c here because we are not creating a new file.
Typically a .htpasswd file would look something like this: username:encrypted_password. So if the username is harini and the password is dummy123pass, then the .htaccess file would be: harini:$apr1$50r17zis$lNbFJs4rQFfkp4ToO2/ZS/
The password has been encrypted. This .htaccess file is essentially your HTTP Basic Authentication credentials.
In case, you don’t want to use a tool or don’t know how to; you can use a .htpasswd generator. Open this link, and you should be able to see a window like an image below.
Type the username and password of your choice. There is an option to generate a random password too. Once done, hit the button that says Generate .htpasswd file. You should be able to see an output.
Modifying the .htaccess File
The .htaccess file is one of the most important files of your WordPress site. There are two things we’ll do with your .htaccess file. One, we’ll tell it what it needs to restrict and two, we tell it from where it could get the HTTP Basic Authentication credentials we just created in the steps above.
.htaccess is present in the public_html folder. To access it you will have to visit your web host account. Log in to your web host and go to a page called cPanel. There you should be able to find an option for File Manager. Select that, and a page will open, and in that page, you should be able to view the file.
Sometimes .htaccess is hidden and may not appear in the public_html folder. When that’s the case, what you need to do is go back to the cPanel, and click on File Manager. A popup will appear where you’ll have to select ‘Show Hidden Files.’
Next, you need download the file and then open it to add this code of line:
<Files wp-login.php> AuthUserFile /path/to/.htpasswd AuthName "Private access" AuthType Basic require valid-user </Files>
A few things you need to keep in mind when inserting this code: AuthUserFile /path/to/.htpasswd – is the path to the .htpasswd file you just created. Make sure the path is correct. The term ‘valid-user’ tells the system any user who has been mentioned in the .htpasswd file with access to the login page. But if you want to be selective about who you grant access to, then instead of using ‘valid-user’, you can just mention the usernames.
After you are done, save it and upload it to the same place from where you downloaded it. And that’s it. The next time you try to access the login page, you’ll see a small window appearing asking you for specific login credentials.
Besides HTTPS authentication, we suggest that you also implement two-factor authentication, which will add another layer of security to your WordPress login page.
Also take a few more security measures like moving your site from HTTP to HTTPS, installing a security plugin, protecting the login page, etc. While protecting your login page is a great idea, there are other ways in which hackers can gain access to your website. We strongly suggest that you take a more holistic approach to security by following our guide on Complete WordPress Security.