wp-admin Directory Password Protection – Custom Code

[AITpro Admin]

Password protecting the wp-admin folder is really not necessary and is not recommended. The primary reason for this is that the wp-admin folder already has password protection. When you login to your WordPress website you are authenticating/logging into the wp-admin folder area/WP Dashboard.

If you would still like to add an additional login to your wp-admin folder then this means that visitors to your website will not be able to register to your website unless you give them the Directory Protection username and password for your wp-admin folder.

wp-admin Directory Password Protection Steps

1. On the Security Modes page, click the wp-admin Folder BulletProof Mode Deactivate button.

2. In cPanel – setup Directory Password Protection for the wp-admin folder.

3. Go to the BPS Pro B-Core Edit/Upload/Download tab page, click on “Your Current wp-admin htaccess File” tab, copy all of the .htaccess code in the window and go to the BPS Pro Custom Code tab page. Paste your cPanel Directory Password Protection .htaccess code to wp-admin htaccess File Custom Code – CUSTOM CODE WPADMIN TOP text box and click the Save wp-admin Custom Code button.

4. Go to B-Core Security Modes page and activate wp-admin BulletProof Mode again.

You should now have a wp-admin .htaccess file that has both the standard BPS Pro security .htaccess code and also the cPanel Directory Password Protection code combined. You can check this by going to the B-Core Edit/Upload/Download page and looking at the “Your Current wp-admin htaccess File” tab page.

[Krzysztof]

[Topic merged into this relevant similar Topic]

I have found a tutorial which recomends adding an extra level of security to protect from brute force attacks:

– create a .htpasswd
– put it in public_html (or somewhere else above the wordpress data)
– get the path to te file
– ad this piece of code to htaccess:

<pre class="text">AuthName "Restricted Area"
AuthType Basic
AuthUserFile /home/path/to/your/.htpasswd
<Files wp-login.php>
require valid-user
</Files>
 
ErrorDocument 401 "Denied"
ErrorDocument 403 "Denied"

Now – what do you think? Is it ok? Could this be added to BPS PRO or we do not need it as BPS PRO has a better solution?

[AITpro Admin]

If you are the ONLY person who logs into your website then I would use the IP based Brute Force Login protection code here:  http://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/

BasicAuth / Directory password protection is actually very easy to beat since data is sent in clear text.

[Krzysztof]

I have managed to protect wp-admin yesterday – I would only suggest to turn off ARQ – it blocked me out while my first try 😉

[Darin]

[Topic has been merged into this relevanat Topic]

I have the latest version of WP and BPS Pro. I am trying to prevent brute force attacks. I have Captcha enabled on the wp-admin login page. I also set a password in Apache for the wp-admin directory. However, even with both of those in place, I still get a failed login attempt on the admin page about once every few minutes. I didn’t really want to filter access by IP address since I won’t be able to login to the site from my phone or when I am on public WiFi. But I thought with the captcha and password, that would prevent brute force attacks.
What else should I try?

[AITpro Admin]

@ Darin – normally that is not necessary if you have JTC enabd, but if want to also enable Diretory password protection then you can do that, by first setting up Directory Password Protection in your Host control panel and then add that code your host generates to your wp-admin htaccess file following the examples in the wp-admin htacess file.

[Author]

Posts