Computer security, and WordPress security in particular, relies on different approaches, but more importantly different philosophies or ways of thinking. It can be quite simple to secure wp-login.php file in WordPress. However, it is not necessarily advisable to follow the most common recommendations.
1. Security through obscurity
Security through obscurity is the principle of hiding information from the public and thus from potential hackers. It has its advantages on the surface, but in general it is not a sufficiently robust defence method.
According to many experts, relying on non-disclosure of information to secure a system is not effective. It is more interesting to protect an entity by placing a barrier, real or virtual, between hackers and their target.
In the case of the wp-login.php file, one of the usual recommendations is to change its default address and therefore hide its location. There are even plugins to do this. However, this can create problems not only in WordPress, but also in the experience on your site. Furthermore, hackers are still able to find this modified URL.
However, it is still possible and sometimes important to strengthen the security of wp-login.php. Therefore, the techniques suggested in this article focus on password protecting the file and limiting access to it to certain IP addresses. Both of these methods are actually recommended on the official WordPress site.
2. Password protect wp-login.php
Password protection provides a second barrier to protect your site, after your account password, or even a third barrier if you have two-factor authentication enabled. According to the Wordfence plugin team, brute force attacks prove to be ineffective and, in fact, the majority of hacks on WordPress make use of vulnerabilities discovered in a plugin or a theme.
Nevertheless, an attack can quickly drain your server resources to the point of taking your site offline. In this case, it may be necessary to resort to this procedure. It is also important to use strong passwords and, if possible, to activate two-factor authentication.
Before making any changes, it is essential to make a full backup of your site. Also note that we will be password protecting the wp-login.php file and not the entire WordPress admin folder, wp-admin. Indeed, some plugins require access to the admin-ajax.php file located in wp-admin. Protecting the entire folder with a password would therefore prevent these plugins from working properly.
2.1 Create a .htpasswd file
The first step is to create a .htpasswd file in which the username and password for accessing wp-login.php will be recorded and encrypted. To build this file, simply go to an htpasswd file generator and choose a username and password.
Then, in a code editor, for example Notepad++, you will need to create a new file and paste the string returned by the generator into it. This file must be an extension only, with no name. In other words, it should be named .htpasswd when you save it. Here is an example of the code that should be in the .htpasswd file.
username:$2y$10$5xLTigKyn/iZX0zIRh16pO6nWopfuLIGZD68Fj8MdmqVA.DURgYDO
Once you have created this file, you will need to upload it to your server via FTP, SFTP or your host’s file manager. Ideally, it shouldn’t be located in a public directory. So avoid putting it in the root directory of your WordPress site or in public_html. It could, for example, be located in the root of your server.
2.2 Modify .htaccess
Finally, you will need to modify the .htaccess file to tell it where the .htpasswd is located and instruct it to request the username and password found there. The code to add to .htaccess depends on your server configuration. These are the respective snippets of code officially recommended by WordPress.
# Stop Apache from serving .ht* files
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
# Protect wp-login.php
<Files wp-login.php>
# The location to the .htpasswd file needs to be an absolute path
AuthUserFile ~/.htpasswd
AuthName "Private access"
AuthType Basic
# Change the username of the following line
require user myusername
</Files>
Apache
Most WordPress hosts use Apache. In the following code snippet, the .htpasswd file is located in the root directory and the username is myusername.
Nginx
You can password protect your wp-login.php file on Nginx using the HttpAuthBasicModule. This block should be inside your server block.
location /wp-login.php {
auth_basic "Administrator Login";
auth_basic_user_file .htpasswd;
}
The filename path is relative to directory of Nginx configuration file nginx.conf
The file should be in the following format:
utilisateur:pass utilisateur2:pass2 utilisateur3:pass3
3. Limit access by IP address
Along with password protection, it is also possible to limit access to wp-login.php to certain IP addresses. This is effective when your IP address doesn’t change often. You can also add multiple IP addresses, especially if other people need access to your site. Keep in mind that if one of these IP addresses changes, the user will not have access to WordPress until it is replaced in .htaccess.
You can find your IP address at What is my IP. Here are the snippets of code to add to .htaccess to accomplish this task. In all examples, you need to change 123.4.567.01 to your IP address.
Apache
# Block access to wp-login.php.
<Files wp-login.php>
order deny,allow
allow from 123.4.567.01
deny from all
</Files>
To add more IP addresses, you can modify this code like so.
# Block access to wp-login.php.
<Files wp-login.php>
order deny,allow
allow from 123.4.567.01
allow from 123.4.567.02
allow from 123.4.567.03
deny from all
</Files>
And if you are using Apache 2.4 and Apache module mod_authz_host, the syntax needs to be different.
# Block access to wp-login.php.
<Files wp-login.php>
Require ip 123.4.567.01
</Files>
Finally, here is the snippet to add multiple IP addresses.
# Block access to wp-login.php.
<Files wp-login.php>
Require ip 123.4.567.01 123.4.567.02 123.4.567.03
# or for the entire network:
# Require ip 123.4.567.0/255.255.255.0
</Files>
Nginx
For Nginx you can add a location block inside your server block that works the same as the Apache example above.
error_page 403 http://example.com/forbidden.html;
location /wp-login.php {
allow 123.4.567.01
# or for the entire network:
# allow 123.4.567.0/24;
deny all;
}
4. Other more sustainable and less intrusive solutions
When you secure wp-login.php using the methods described above, logins will also be more cumbersome for you. You’ll need to enter an additional username and password or correct IP addresses in your .htaccess file when someone can no longer connect.
If these steps seem to degrade your site experience too much, I recommend instead focusing on the following points to secure wp-login.php and, more broadly, your connections to WordPress.
4.1 Disable XML-RPC
Most brute force attacks take advantage of this protocol to try to break into your site. As long as you don’t use default credentials, such as admin, and weak passwords, they won’t affect your security. However, as already mentioned, they can have a negative impact on your server resources. To disable XML-RPC, you can install a plugin like Wordfence or insert the following piece of code into your .htaccess file.
# Disable xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
# The following line is optional
allow from 123.4.567.01
</Files>
The third line allows access to the file to a defined IP address, which you must replace in the code. If you don’t need it and want to disable the protocol completely, you can delete this line.
4.2 Use strong passwords
Your password is still one of the major weak points of WordPress. The best way to use strong, unique and long passwords is still a password manager. The latter generates and saves them for you. Also, a weak password is any combination of your name, username, company name, or site name; a dictionary word in any language; a word that is too short; or a word that uses only letters or numbers.
4.3 Use complex usernames
Similarly, common usernames pose a security problem. These include default credentials such as root, admin, or system. If you lack inspiration, here too, a password manager can prove invaluable. Indeed, you can hijack it to create unique and complex logins that look like passwords.
4.4 Enable two-factor authentication
Two-factor authentication is an essential solution for the security of not only WordPress, but any system. It adds an extra layer of protection through a different mechanism than the « username – password » combination and has proven to be an excellent method of protection so far.
4.5 Limit login attempts
Thanks to a security plugin, it is possible to limit login attempts after a certain number of failures. This is an effective way to protect your site and preserve your server resources. But you should keep in mind that some users may also need several attempts before remembering their login and password. It is therefore wise not to set too low a limit.
4.6 Install a security plugin
Finally, it is still essential to install a security plugin with a firewall. This will block malicious traffic from known IP addresses before it even reaches your site. Two of the best solutions in this regard are Wordfence and Sucuri.
5. Conclusion: secure wp-login.php in WordPress
When looking to secure wp-login.php in WordPress, it is important to define your goal first. Indeed, you may find that there are better methods to achieve it that don’t directly touch this file. Instead, password protection and IP address restriction can be very effective depending on the situation. In addition, these can be temporary solutions if your site is no longer under attack after some time.
What is the security issue that makes you want to secure WordPress wp-login.php? Let me know in the comments!
Sécuriser WordPress wp-login.php
Sauvegarde WordPress : extension, FTP et restauration
Personnaliser Contact Form 7 avec CSS