How to password protect WordPress login and admin page

In this article we will go over how you could secure your WordPress Login page. We will add one more additional password to your login page. Even before login page loads, user has to enter additional password to see login page.

How to protect WP-ADMIN URL with .htaccess? How to avoid WordPress Brute Force Attack? Prevent Brute Force Attacks on WordPress Login page.

Step 1: Login to cPanel

Once you login to your cPanel account, go to Files section and click on File Manager.

Step 2: Enable Hidden files

Clicking on File Manager will open new window. Click on Settings button on Top-Right corner. Click on Show Hidden Files (dotfiles) checkbox. You will be able to see all .dot files now.

Step 3: Verify the content of .htaccess file found in /home/<username>/public_html and /home/<username>/public_html/wp-admin

The .htaccess file under /home/<username>/public_html will have content like below:

The .htaccess file under /home/<username>/public_html/wp-admin will probably be empty or not there at all. Create a empty .htaccess file if does not exist.

Step 4: Now we will create username and password to lock the wp-admin access. Go to your cPanel account, go to Files section and click on Directory Privacy folder.

Step 5: Click on folder icon as shown. DO NOT click the text “public_html”

Step 6: On next screen click on TEXT “wp-admin”. DO NOT click on folder icon.

Step 7: On the new screen tick the checkbox “Password protect this directory”. and enter and enter a name for protected directory as shown. Click Save.

Step 8: Click Go Back

Step 9: Now create username  and  password who will have access to wp-admin folder:

Step 10: Click Go Back

Step 11: Now open the .htaccess file under /home/<username>/public_html/wp-admin.  It should have content as shown:

Step 12: Add this text to it at bottom and save it:

<Files admin-ajax.php>
    Order allow,deny
    Allow from all
    Satisfy any
</Files>

Step 13: Copy the content of .htaccess from /home/<username>/public_html/wp-admin (leave the highlighted lines in previous step) and add to .htaccess file in /home/<username>/public_html as shown:

ErrorDocument 401 "Sorry. Unauthorized Access. You are not allowed to access /wp-admin/ page."
ErrorDocument 403 "Forbidden"
<FilesMatch "wp-login.php">
<PASTE CONTENT FROM .htaccess HERE>
</FilesMatch>

 

Step 13: Config is completed. wp-admin folder is secured now. Try to access your wp-admin url.

In Chrome it will show something like below:

In Internet explorer it will show like below:

Enter the username and password created for securing wp-admin folder. This will take you to proper WordPress login:

If someone click Cancel on wp-admin login popup then it will display this: