How to secure WordPress(wp-login/admin.php) with Basic Authentication

Published on:2014/03/25
Last updated:

This post is also available in: 日本語 (Japanese)

Wordpress hacking attacks were becoming badly especially this year.

By applying Basic authentication to admin.php and wp-login.php of wordpress, it is a simple but hacking of the site less likely to be.

If you have access to wp-login.php(wordpress login screen) by applying the Basic authentication, you will be prompted for a password and user name, as in the image.

web_basic_auth

web_basic_auth

There is a [Brute force attack] and [Dictionary attack] to the famous hacking method.

[Dictionary attack]to attack and dictionary of the anticipation of ID / PASS wordpress user is likely to use.
[Brute force attack] to attack to try to order a combination of string.

Safety is enhanced that is different from the wordpress ID/PASS of Basic authentication.

The plug-in [Simple Login Lockdown] is recommended as a counter to the [Brute force attack].
Please refer to the article [How to remove Simple Login Lockdown when you can not log in].

Apply the Basic authentication to wp-login.php/admin.php of wordpress

AuthUserFile    home/www/.htpasswd
AuthName    "Input UserName And Pass"
AuthType    Basic

<Files wp-login.php>
require valid-user
</Files>
 
<FilesMatch "\/?wp-admin">
require valid-user
</FilesMatch>
 
<Files wp-admin/admin-ajax.php>
Satisfy any
order allow,deny
allow from all
</Files>

# Exclude the file upload and WP CRON scripts from authentication
<FilesMatch "(async-upload\.php|wp-cron\.php|xmlrpc\.php)$">
    Satisfy Any
    Order allow,deny
    Allow from all
    Deny from none
</FilesMatch>

1.Create [.htaccess] file in the same directory as the wp-login.php

2.Copy and paste the above code.

3.Change the full path from the root directory the part of the [home/www/.htpasswd] of [AuthUserFile] to put [.htpasswd] file.

4.Create [.htpasswd] file in the location that you specify.

5.Tools link below, generate a UserName/PASS to be used when the Basic authentication.(PASS and UseName you like)
http://www.htaccesstools.com/htpasswd-generator/

6.Paste to [.htpasswd] code that is generated.

7.To operation verification try to access management screen(wp-admin.php) and login screen(wp-login.php).

If the failure occurs, please remove the code that you copy and paste the above [.htaccess] file.

Reference site:
User:Hakre/Htaccess Auth Excludes « WordPress Codex

Tags:
Related Articles:
AccessVBA/Macro:Change history function, Sample code for user selection function by password, etc…

About
Kuniyoshi Takemoto is the founder of Amelt.net LLC, and editor of this blog(www.amelt.net).Learn more and follow me on LinkedIn.