InMotion Hosting – wp-admin directory password protection

Home Forums BulletProof Security Free InMotion Hosting – wp-admin directory password protection

Viewing 14 posts - 1 through 14 (of 14 total)
  • Author
    Posts
  • #19755
    chuckz
    Participant

    After a recent attempted hacking of one of my WP sites, my host contacted me and wants me to implement the following on this site:

    “In this article I’ll show you how to lock down and password protect your WordPress website from invalid login attempts. We’ll do this by limiting access to the /wp-admin directory and the wp-login.php script.” Here’s a link to their instructions:  http://www.inmotionhosting.com/support/website/wordpress/prevent-unauthorized-wp-admin-wp-login-php-attempts.

    With conversations with them before, they have strongly recommended password protecting the admin directory — which I have tried, but it has caused so many issues I have ended up removing the password.

    I have installed the BPS plugin (free version*) — my questions are:  Will doing the above “locking down” of WP conflict or cause issues with the BPS plugin?  Is it necessary since BPS locks down the htaccess files anyway??

    —-

    Next question.  I have several sites which are constantly (anywhere from 6-25 times per day) having failed log-ins and/or lock-outs (depending upon my security plugin settings).  What is the best course of action to prevent these unauthorized logins?

    *I am currently running the free BPS plugin on about six WP sites, and will soon be upgrading to the Pro.  I appreciate the excellent support I have seen reading these forums, thank you!!

    #19757
    AITpro Admin
    Keymaster

    1. You would first setup wp-admin directory password protection in your InMotion Host control panel (or resave your settings).  When you do that htaccess code will be written to the top of your wp-admin htaccess file.
    2.  Copy and paste that wp-admin directory password protection htaccess code that is written to the top of your wp-admin htaccess file into this BPS wp-admin Custom Code text box:  CUSTOM CODE WPADMIN TOP: Add wp-admin password protection, IP whitelist allow access & miscellaneous custom code here
    3.  Click the Save wp-admin Custom Code button.
    4. Go to the BPS Security Modes page and activate wp-admin BulletProof Mode.

    I believe once you add wp-admin folder directory password protection it will also take care of the failed logins/lockouts since the hacker/spammer bots will be stopped by the additional wp-admin login.

    #19762
    chuckz
    Participant

    Thank you VERY much for your prompt response!!  I just went through the steps and everything appears to be working perfectly.  I will go ahead and do this with the other sites which have the attempted log-ins.

    I’ll be upgrading to the BPS Pro sometime this week, and from now on will be recommending BPS to every WP user I know.  Thank you for an excellent product and fantastic support!!

     

    #22219
    Akhil K A
    Participant

    Hi.

    I was also searching for this. By the way, as you said I have added the code to the wp-admin custom code. But, Inmotion is saying to add another piece of code to the public_html/.htaccess, that code will ask the user to validate when he access to wp-login.php So, please tell me where I can add these codes, I mean which section in “Root htaccess File Custom Code”?

    http://s6.postimg.org/ccymi32dt/Capture.jpg

    Thanks.
    Akhil K A

    #22221
    AITpro Admin
    Keymaster

    If you would like to use that code for your root htaccess file instead of the wp-admin code for your wp-admin htaccess file then you would do these steps:

    Note: If the root htaccess code does not work correctly then you will have to use the wp-admin BasicAuth code instead.

    1. Add your BasicAuth Directory Password Protection .htaccess code to this BPS Root Custom Code text box (above any caching code in that text box): CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE
    2. Click the Save Root Custom Code button.
    3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

    #22272
    Akhil K A
    Participant
    Root .htaccess:
    <FilesMatch "wp-login.php">
    AuthType Basic
    AuthName "Secure Area"
    AuthUserFile "/home/username/.htpasswds/public_html/wp-admin/passwd"
    require valid-user
    </FilesMatch>
    
    wp-admin .htaccess
    AuthType Basic
    AuthName "Restricted Area"
    AuthUserFile "/home/username/.htpasswds/public_html/wp-admin/passwd"
    require valid-user

    Now when I visit my domain, it is asking for password!!! But, I can cancel it and browse. It is asking password for each page refresh! See my site: http://www.tidblog.com Please help me to fix this…

    #22281
    AITpro Admin
    Keymaster

    You would use either code and NOT both of them. Each one does the exact same thing so you are doing the same thing twice.

    #22283
    Akhil K A
    Participant

    The tutorial is given in the inmotion hosting website. If I use the code in wp-admin htaccess, it will ask password while we access wp-admin directory. But, using the code in root htaccess will prevent hacker to access wp-login.php file. My site is under brute force attack. The attacker is continuously trying to access the directory and the login file. This cause high resource usage. Any solution?

    #22285
    AITpro Admin
    Keymaster

    Our sites are being Brute Force attacked 24 x 7 x 365 just like every other WordPress site in the world.  It is now just a normal thing that occurs every day – all day.  Brute Force login attacks are automated with bots.  Several different bots may be attacking your site on any given day – it is just what happens on the Internet these days – every day – all day.  Curently this forum site is being attacked at a rate of 10 Brute Force Login attacks per second, which is a very mild|low attack rate.

    The wp-login.php page IS the same thing as the wp-admin folder.  When you login to your site you are requesting access to the wp-admin folder whether you go directly to wp-login.php or you go to the /wp-admin URL.  They are the exact same thing.  If you are using BPS Login Security & Monitoring then login processing is killed when an invalid login attempt is made so that there is no significant resource usage used at all, but under very large scale Brute Force login attacks such as 1,000 login attempts per second then you may see a .25 second page load increase time.  Most Brute Force login attacks are typically only 60 to 120 login attempts per second or much lower than that.

    #22289
    Akhil K A
    Participant

    Thank you so much for the detailed explanation and fast response. In that case, I’m removing the code from the root directory.

    #22290
    Akhil K A
    Participant

    I have removed the code from root htaccess.Now the code is only implemented on wp-admin directory…Still asking for authentication for homepage and other directories!

    #22291
    AITpro Admin
    Keymaster

    Something is wrong then.  Double check both your root and wp-admin htaccess files AND BPS Custom Code.  If you have added that code to BPS Custom Code then you need to delete it and then do the rest of the Custom Code steps.  See the Custom Code Read Me help button for Custom Code steps.  Also if you are completely removing Directory Password Protection then you also need to remove|delete that in your host control panel.

    #22294
    Akhil K A
    Participant

    Fixed. That was my mistake. I have added the code correctly to root and admin directories. Now wp-admin directory and wp-login pages are secured with password. For Reference: http://www.inmotionhosting.com/support/website/wordpress/prevent-unauthorized-wp-admin-wp-login-php-attempts

    Thanks.

    #22298
    AITpro Admin
    Keymaster

    Great!  Most people do not use Directory Password Protection since they want to allow other people to be able to Register, Login and post Comments on their websites, like this Forum website for example.  😉

Viewing 14 posts - 1 through 14 (of 14 total)
  • You must be logged in to reply to this topic.