Not hiding the wp-login.php page on a WordPress site when it goes into production is an important security issue. While it is just one of many security measures that should be implemented, hiding the wp-login.php page can help reduce the risk of brute force attacks, which involve trying to guess passwords to gain access. This not only increases the risk of being hacked but can also cause the server to work harder due to continuous password-guessing attacks.
If you choose to keep the wp-login.php page accessible, you should set limits on the number of login attempts. If the limit is exceeded, you can configure the system to ban the IP address. This approach is better than having it open without any restrictions, as bots often automatically search for wp-login.php and try to log in. Changing the login URL can make it harder for bots to find the login page, thus enhancing the security of the website.
Recommendations for Preventing Brute Force Attacks from WordPress
According to the official recommendations from WordPress on preventing brute force attacks, the following measures are advised:
- Change the Login URL: Modify the URL from wp-login.php to avoid direct attacks.
- Use Strong Passwords Create complex passwords that are hard to guess and change them frequently.
- Limit Login Attempts: Use plugins that limit the number of failed login attempts.
- Enable Two-Factor Authentication (2FA): Enhance security by implementing two-factor authentication.
- Block Suspicious IPs Block IPs exhibiting suspicious behavior to prevent attacks.
How to Create a .htpasswd File to Prevent Direct Access to wp-login.php
How to hide access to wp-login.php without installing additional plugins, as recommended by WordPress Best Practices. You only need to write a few lines of code. We will create an additional layer to protect access to the login page by using features from AppServe and NGINX.
Every time you access the wp-login.php page, a login prompt will appear, asking you to enter a username and password. If you enter the wrong credentials, you will not be able to access the WordPress login page. To set this up, you need to create a .htpasswd file and modify the .htaccess file together.
The first step is to create a .htpasswd file, which you can learn about by clicking Check this out .
Enter the username and password for authentication used in the Prompt Login. Then, select Bcrypt (Apache v2.4 onwards) and click the Create .htpasswd file button. You will receive a text string that looks like the following:
demo:$2y$10$mHPbKdzE4up1TsWmaKurCeJQmPMeMeIiMHc7hQL5jJ64PbA1mAOIu
Create a .htpasswd file in the root directory of your host. This is the same location as the .htaccess file that WordPress initially creates. Then, insert the text string generated earlier into the .htpasswd file and proceed to the next step.
Modify the .htaccess File to Set Conditions for Prompt Login Before Accessing wp-login.php
If your server uses Apache, place the following code at the top of the .htaccess file. The tag specifies that anyone accessing this URL must log in first.
# เริ่มการตั้งค่าการป้องกันไฟล์ wp-login.php <Files wp-login.php> # ระบุไฟล์ที่เก็บข้อมูลผู้ใช้และรหัสผ่าน AuthUserFile ~/.htpasswd # ระบุชื่อที่จะแสดงเมื่อขอให้ผู้ใช้ใส่ข้อมูลการเข้าสู่ระบบ AuthName "Private access" # กำหนดประเภทการยืนยันตัวตนเป็น Basic AuthType Basic # ระบุชื่อผู้ใช้ที่ได้รับอนุญาตให้เข้าถึงไฟล์ wp-login.php # demo = user ที่เราสร้างขึ้นมา require user demo </Files>
.htaccess
For NGINX, place the code below in nginx.conf instead, which will function the same way.
location /wp-login.php { auth_basic "Private access"; # ข้อความที่จะแสดงในกล่องการยืนยันตัวตน auth_basic_user_file .htpasswd; # ไฟล์ที่เก็บข้อมูลชื่อผู้ใช้และรหัสผ่าน }
nginx.conf
A common issue is that .htaccess does not find the .htpasswd file. This depends on the server configuration. In some cases, using . (a dot for the current directory where .htaccess is located) will suffice, while in others, you may need to provide the absolute path to the file. If you’re unsure of the absolute path, you can contact your server provider for assistance.
Conclusion
After placing the .htpasswd file and modifying the .htaccess file, when attempting to access the backend by typing /wp-login.php directly or navigating to /wp-admin, the system will redirect to wp-login.php, where a login prompt will appear. If the username and password are entered incorrectly, access to the WordPress login page will be denied. This acts as an additional layer of protection.
The login prompt doesn’t protect against brute force attacks 100%. Some providers install Fail2Ban to enhance the system’s security. Fail2Ban monitors and blocks IPs that repeatedly attempt to attack or fail to log in, reducing the likelihood of successful brute force attacks.
Preventing brute force attacks is just one method to secure WordPress, but there are many other ways. If you’re interested, you can read more details here