WordPress is open source and comes with a specific folders and files structure, see WordPress folders and file structure for more details.

One of the default files comes with WordPress is wp-login.php which is WordPress default login page. Anyone can access login page with yourblog.com/wp-login and start guessing passwords. Bad guys hard code this url address in crawlers and let them lose on millions of blogs to guess passwords and irony…many blogs really get hacked. The threat is real.

You can password protect wordpress site from WordPress brute force attacks by following two really easy steps.

Step 1:


We need a password htpasswd generator, the easy way to generate htpasswd file is by doing it online.

Visit http://www.htaccesstools.com/htpasswd-generator/


Enter a strong username and password and click Create .htpasswd file


Copy the encrypted information in notepad or any text editor for now and save it, we will use it later on.


Now login to your blog CPanel and create a .wpadmin file (note dot) outside your public_html or www directory.

Look for the path, it should be: /home/username/.wpadmin (where “username” will be the username for your account)

Woopoo's Tip


.wpadmin once created, open the file and paste the encrypted username password you generated before. Save the file and close it.

You are done with the first step. The next step is to enable protection for wp-login page.

Step 2:


Go to CPanel and open your public_html directory where wordpress is installed. Go to settings and check show hidden dot files.


Now you should see .htaccess file, if not create one using the same procedure you did for .wpadmin.

Note the dot before the name, it should be .htaccess not htaccess !IMPORTANT

Woopoo's Caution


Click the file, edit and append the following code into it. Once done, save and close the file.

ErrorDocument 401 “Unauthorized Access”
ErrorDocument 403 “Forbidden”
<FilesMatch “wp-login.php”>
AuthName “Authorized Only”
AuthType Basic
AuthUserFile /home/username/.wpadmin
require valid-user

Thats it! you just enabled an extra layer of wordpress security for your admin login page.

Now try to login to your admin page and you will see an additional dialog box to enter login details.

If you see a white blank page, open .htaccess file from CPanel append the following additional code:

ErrorDocument 401 default

Woopoo's Caution

Gimme a Share pleeeaase!

Pin It on Pinterest

Share This