How to prevent from WordPress wp-admin&wp-login.php unauthorized attempts

by sham 2014-05-31 15:55:53


In this post, I will tell you how to lock down and password protect your WordPress website from invalid login attempts. We can do this by limiting access to the /wp-admin directory and the wp-login.php script.

Password protect WordPress logins :

Using the steps below, you can create password protection for your /wp-admin directory. We'll also copy those rules over to protect your wp-login.php script.

Step 1: Login into your hosting cpanel. Under the Security section ,click on Password Protect Directories.


Step 2:  Select the Document Root for your domain, then click Go.


Step 3: Click on your wp-admin directory

Step 4 : Check Password protect this directory, give it a name, then click Save.
Step 5 : Then click on Go Back

Step 6 : Click on Password Generator.
 Click on Generate Password a few times, and copy your password.
 Check I have copied this password in a safe place.
 Then click Use Password.

Step 7 : Now type in a Username, then click on Add/modify authorized user.

Step 8 : Try to access your /wp-admin directory.

Your browser will prompt you for the username/password you just created.
Type them in, and click Log In
Step 9 : Then, Your normal WordPress admin login page should now display.

Step 10 : Now go back to cPanel.
Under the Files section, click on File Manager.
Select the Document Root for your domain.
Check Show Hidden Files (dotfiles), then click Go.

Step 11 : Go to below location
public_html /wp-admin/.htaccess
Right click and click on edit

Step 12 : Copy all the code in the .htaccess file.
While you still have the /wp-admin/.htaccess file open, also go ahead and add the code in bold :
ErrorDocument 401 "Denied"
ErrorDocument 403 "Denied"

# Allow plugin access to admin-ajax.php around password protection

Order allow,deny
Allow from all
Satisfy any

AuthType Basic
AuthName "Secure Area"
AuthUserFile "/home/example/.htpasswds/public_html/wp-admin/passwd"
require valid-user

Step 13 : Edit .htaccess file under public_html
Now paste below code in-between some tags.
ErrorDocument 401 "Denied"
ErrorDocument 403 "Denied"

AuthType Basic
AuthName "Secure Area"
AuthUserFile "/home/example/.htpasswds/public_html/wp-admin/passwd"
require valid-user

and then click SAVE

Step 15 : Now if someone tries to directly login via wp-login.php they will be prompted for a valid user as well.

Step 16 :  When a user enters invalid credentials are, they will get an Authorization Required error. They will then not be able to attempt to login to your WordPress admin directly.

This article will help you to protect your wordpress admin login from unauthroized login attempts


Tagged in:


You must LOGIN to add comments