Wordpress login pages left public are a target for brute force attacks or other vulnerabilities. I’ll show you how to keep the WordPress login protected with Apache htpasswd and htaccess!
1. First, create an htpasswd username and password. See Step 1 of this previous post for a quick how to!
2. Next, add the following to the bottom of the WordPress .htaccess file.
(Where AuthUserFile is the location of your htpasswd file)
<Files wp-login.php> AuthUserFile /etc/apache2/.htpasswd AuthType Basic AuthName "hello" Require valid-user </Files>
When visiting yoursite.com/wp-admin or yoursite.com/wp-login.php, the web server will prompt for a username and password as a layer of security to even view the login page.
(3.) Use HTTPS for Login
It is also a good idea to have the WordPress login and WordPress admin area be over HTTPS. Otherwise the login information is passed in the clear.
For this, make the following change in your wp-config.php: