Protect Your WordPress Login Against Attack

In order to protect your WordPress site from getting hacked, you can provide an additional layer of security. To do this, we’re going to block unauthorized people from accessing the WordPress login page.

Log into your cPanel account as you normally would, and look in the Security section of cPanel for the (1) Password Protect Directories feature and click on it.

This will pop up a area where you select the area you want to start in order to protect your WordPress login page.

If your WordPress site is in your main domain (or a subdirectory of your main domain, then select (1) Web Root (public_html) as the starting location and click the (3) Go button.

If your WordPress site is in an addon domain or subdomain, then select (2) Document Root for and choose the appropriate addon or subdomain from the drop-down list and click the (3) Go button.

You can safely ignore the other options in this area.

Now you need to navigate to the directory where your WordPress blog is installed. If you need to navigate inside a sub-folder to get to the WordPress installation location, then click on the small (1) folder graphic that appears next to the name of that directory. That will show you the folders inside that one continue to navigate that way until you see the name of the directory that contains your WordPress install.

Once you find the name of the directory where your WordPress install is located, click on the text of the directory name. This will allow you to set up the protection we need on your WordPress installation.

On this screen, you will actually be password protecting your entire WordPress directory (we will take care of changing this restriction so it only affects the WordPress login itself shortly).

If your site is currently getting attacked, turn on password protection first. You do this by clicking on the (1) Password protect this directory checkbox and then give the protected content a name (optional, but recommended) by typing the name into the (2) Name the protected directory text field. This text will typically be displayed in the login box that most browsers will pop up when clients access the protected content. Then click (3) Save to apply the protection. If your site isn’t currently under attack, you may want to hold off on enabling the protection until you add some authorized users.

The type of protection we are enabling will force people to log in before they can access the protected content. This protection is separate from the user’s WordPress login.

To add authorized users who will be permitted to access the protected content (in this case your WordPress login page), enter a (4) username and a (5 & 6) password (twice) and then click (8) Add/modify authorized user to add or update the user. You can also use the (7) Password Generator feature to automatically create a secure password.

If you want to modify the password of an existing authorized user, just enter the same (4) username as the authorized user whose password you want to change and enter a new (5 &6) password.

If you want to remove an authorized user, just select an (9) authorized user and then click the (10) Delete User button.

You can choose to create as many authorized users as you want or provide a single authorized username and password that all trusted people can use to access their WordPress login page (they still need to have a valid WordPress account and password that is separate from the authorized user account you are creating).

Once you are done adding/editing users and you’ve enabled protection for the entire WordPress directory, we need to make one additional manual modification so this protection only applies to the WordPress login page itself and not the entire WordPress site as it does right now.

We need to edit the .htaccess file in your WordPress installation directory. You can do this via FTP(S), SSH or via cPanel’s File Manager. These directions will assume you are using the File Manager.

Go back to the home screen in cPanel and in the Files section click on (1) File Manager.

Now, you select the directory you want to start in. Select the location that is as close as possible to your WordPress installation. However, you need to make sure the (1) checkbox for Show Hidden Files (dotfiles) is checked or you won’t be able to edit the .htaccess file we need to change. When you are ready, click (2) Go.

Navigate into your WordPress installation directory (if you are not already there) by selecting the folder from the (1) navigation tree. Once there, click on the (2) .htaccess file so it is selected. Then click on the (3) Edit icon at the top of the screen.

This will pop up a screen to confirm that you want to edit the file you’ve selected. Generally you shouldn’t have to worry about any of the options on this screen. Just click the (1) Edit button to start editing the file.

On this screen, you just need to make some simple text edits the file. Do not change the WordPress included code in the .htaccess file if it exists, just edit this:

AuthUserFile “/home/YOURCPANELUSERNAME/.htpasswds/public_html/blog/passwd”
AuthType Basic
AuthName “WordPress Login”
require valid-user

To this (The BOLD lines have been added and nothing else needs to be edited):

<FilesMatch “wp-login.php”>
AuthUserFile “/home/YOURCPANELUSERNAME/.htpasswds/public_html/blog/passwd”
AuthType Basic
AuthName “WordPress Login”
require valid-user
</FilesMatch>

Once you’ve added the FilesMatch lines to the beginning and end of that code block, click (1) Save Changes to save the file.

Now go to your WordPress install in your web browser and try to login. You should be prompted by your browser to enter a username and password to access the protected content. Enter a username and password you specified when setting up the protection in cPanel and then you will be able to access the WordPress login page without issue and log in with your standard WordPress username and password.

That’s it. You can remove the protection later if you want by removing all of the code above from the .htaccess file.