Protecting WordPress login page thru Basic Authentication

Take steps to avoid brute force attacks on the WordPress admin dashboard page. This would add an additional layer to site security and avoid traffic excess. Basic Authentication would facilitate HTTP requests to require a username and a password.

Add Basic Authentication via .htaccess

This is applicable to sites using Apache as the web server, this would not work on hosts with Nginx as their web server. Two simple steps:

Create a .htpasswd file then upload it to your webroot folder, this is the folder mostly where “.htaccess" resides.

Add this line to your .htaccess file

<Files wp-login.php>
AuthUserFile /.htpasswd
AuthName "Security Lock"
AuthType Basic
require valid-user
</Files>

Add Basic Authentication on the wp-config.php file

Sometimes as customers don’t have access to server configuration and PHP would be the fallback method.

if(preg_match('/(wp-login.php)/',$_SERVER['REQUEST_URI'])){
    if (!isset($_SERVER['PHP_AUTH_USER']) || ( $_SERVER['PHP_AUTH_USER'] != 'yourusername' && $_SERVER['PHP_AUTH_PW']   != 'yourpassword')) {
	    header( 'Cache-Control: no-cache, must-revalidate, max-age=0' );
	    header( 'WWW-Authenticate: Basic realm="Security Lock"' );
        header( 'HTTP/1.0 401 Unauthorized' );          
        exit();          
     }
}

Share