As a result of the recent brute force attacks on self hosted WordPress sites, I decided to create a second level of authentication for all my sites.

I’m not referring to receiving a text message with a random code that must be entered to gain acess, and although a highly secure option, I’m talking about using .htaccess authentication.

htaccess authorization

Protecting the wp-login.php File with Authentication

You have the option to require authentication for access to a folder of files on your site, or individual files. You can use some funky regular expressions to match file types (which still eludes me for some reason) or just match a file by exact name.

There are plugins for WordPress that will create a user interface to make this process easier, but I did it the manual way, so that is what I am going to demonstrate here.

Lock Down the wp-login.php File for All Sites in the Same Hosting Account

I decided to “lock down” the wp-login.php file for all of my sites. In this example I will explain how I did it on a shared hosting account with HostGator which hosts multiple sites in the same account. Because of the placement of the two files created, I was able to impact all sites at the same time (i.e. lock down the WordPress login page for all sites with this one quick update).

There is a public_html folder where all my sites reside. The two files that I created for authentication purposes I added to the folder before public_html which is /home/user-name/ for me. It is a non-public folder. This folder may be something different for you depending on your web host. You should be able to gain access to it from the main FTP account for your hosting account.

First, Lets Create an Encrypted Password

One of the files that we create will include a list of valid usernames and passwords that can be used to get past the authentication. For this purpose we will only be adding one username:password pair.

It will be a plain text file with a username and password separated by a colon (:) and no spaces like shown above. The password must be encrypted.

There are tools online that will encrypt a plain text password for use in the password file, but I thought it’d be fun to create a mini PHP app to do it ourselves. This assumes of course that your server runs PHP files.

1) Create a new PHP file called pass-gen.php or whatever you want. You can create this in a plain text editor, then do a “file >> save as…” and type in the full file name.

2) Paste in the code below. Replace your-password with the password that you want to use.

<?php
$strPlainTextPassword = 'your-password';

$strEncryptedPassword = crypt($strPlainTextPassword, base64_encode($strPlainTextPassword));

echo $strEncryptedPassword;
?>

Note: The above code is meant for use on Apache servers. The resulting encrypted password should begin with “$apr1$” to be accurate. If it does not work, use this tool to generate the contents for the password file.

The video below demonstrates all the steps in this article. The example code for the password generator was run on a server that did not generate the password with the “$apr1$,” so it isn’t accurate in the video.

3) Upload the file to your server, then browse to it. You will see your password in encrypted form which we will use in the password file in the next step. Get it on the clipboard.

Now, Create the Password File with One Entry Per Line, and Usernames and Encrypted Passwords Separated by a Colon

1) Go ahead and create another plain text file and call it .wpadmin or something similar. Notice that there is no actual filename (like .htaccess), but just an extension.

2) At the very beginning of the file type in the desired username, followed by a colon, followed by the encrypted password created using the PHP tool above.

3) Save the file and upload it to your /home/user-name/ (or equivalent) folder.

Modify the Existing .htaccess From the /home/user-name/ Folder, or Create a New One

There will likely already be an .htaccess file within the /home/user-name/ folder with existing commands. We can download that file and add to it.

If it doesn’t exist, you can create it in the same way that you did the .wpadmin file.

1) Add the following commands to the .htaccess file, making sure to modify the path to reflect your non-public path as described throughout this article.

<FilesMatch "wp-login.php">
AuthName "Authorized Only"
AuthType Basic
AuthUserFile /home/user-name/.wpadmin
require valid-user
</FilesMatch>

2) Save the file and upload it to your /home/user-name/ (or equivalent) folder.

Test Your Work by Attempting to Access the wp-login.php File

The last step is testing to make sure that everything works as expected.

All you need to do is navigate to a WordPress login page for one of the sites in your hosting account and you should be prompted for the username and password that you added to the Password file in previous steps.

After successful authentication you can login to WordPress as normal. Your .htaccess authentication will wear off after some time at which time you will need to re-authenticate at that level.