Enhance Security: Add a Layer by Hiding wp-login for WordPress

|
5 mins reading time

Not hiding the wp-login.php page on a WordPress site when it goes into production is an important security issue. While it is just one of many security measures that should be implemented, hiding the wp-login.php page can help reduce the risk of brute force attacks, which involve trying to guess passwords to gain access. This not only increases the risk of being hacked but can also cause the server to work harder due to continuous password-guessing attacks.

If you choose to keep the wp-login.php page accessible, you should set limits on the number of login attempts. If the limit is exceeded, you can configure the system to ban the IP address. This approach is better than having it open without any restrictions, as bots often automatically search for wp-login.php and try to log in. Changing the login URL can make it harder for bots to find the login page, thus enhancing the security of the website.

Recommendations for Preventing Brute Force Attacks from WordPress

According to the official recommendations from WordPress on preventing brute force attacks, the following measures are advised:

  1. Change the Login URL: Modify the URL from wp-login.php to avoid direct attacks.
  2. Use Strong Passwords Create complex passwords that are hard to guess and change them frequently.
  3. Limit Login Attempts: Use plugins that limit the number of failed login attempts.
  4. Enable Two-Factor Authentication (2FA): Enhance security by implementing two-factor authentication.
  5. Block Suspicious IPs Block IPs exhibiting suspicious behavior to prevent attacks.
Prompt Login จากการเปิดใช้ .htpasswd
Prompt Login จากการเปิดใช้ .htpasswd

How to Create a .htpasswd File to Prevent Direct Access to wp-login.php

How to hide access to wp-login.php without installing additional plugins, as recommended by WordPress Best Practices. You only need to write a few lines of code. We will create an additional layer to protect access to the login page by using features from AppServe and NGINX.

Every time you access the wp-login.php page, a login prompt will appear, asking you to enter a username and password. If you enter the wrong credentials, you will not be able to access the WordPress login page. To set this up, you need to create a .htpasswd file and modify the .htaccess file together.

The first step is to create a .htpasswd file, which you can learn about by clicking Check this out .

ตัวสร้าง .htpasswd
ตัวสร้าง .htpasswd

Enter the username and password for authentication used in the Prompt Login. Then, select Bcrypt (Apache v2.4 onwards) and click the Create .htpasswd file button. You will receive a text string that looks like the following:

demo:$2y$10$mHPbKdzE4up1TsWmaKurCeJQmPMeMeIiMHc7hQL5jJ64PbA1mAOIu
directory ที่นำไปวาง .htpasswd
directory ที่นำไปวาง .htpasswd
วาง generate text ที่ไฟล์

Create a .htpasswd file in the root directory of your host. This is the same location as the .htaccess file that WordPress initially creates. Then, insert the text string generated earlier into the .htpasswd file and proceed to the next step.

Modify the .htaccess File to Set Conditions for Prompt Login Before Accessing wp-login.php

If your server uses Apache, place the following code at the top of the .htaccess file. The tag specifies that anyone accessing this URL must log in first.

# เริ่มการตั้งค่าการป้องกันไฟล์ wp-login.php
<Files wp-login.php>
    # ระบุไฟล์ที่เก็บข้อมูลผู้ใช้และรหัสผ่าน
    AuthUserFile ~/.htpasswd
    
    # ระบุชื่อที่จะแสดงเมื่อขอให้ผู้ใช้ใส่ข้อมูลการเข้าสู่ระบบ
    AuthName "Private access"
    
    # กำหนดประเภทการยืนยันตัวตนเป็น Basic
    AuthType Basic
    
    # ระบุชื่อผู้ใช้ที่ได้รับอนุญาตให้เข้าถึงไฟล์ wp-login.php
    # demo = user ที่เราสร้างขึ้นมา
    require user demo
</Files>

.htaccess

For NGINX, place the code below in nginx.conf instead, which will function the same way.

location /wp-login.php {
    auth_basic "Private access";         # ข้อความที่จะแสดงในกล่องการยืนยันตัวตน
    auth_basic_user_file .htpasswd;      # ไฟล์ที่เก็บข้อมูลชื่อผู้ใช้และรหัสผ่าน
}

nginx.conf

A common issue is that .htaccess does not find the .htpasswd file. This depends on the server configuration. In some cases, using . (a dot for the current directory where .htaccess is located) will suffice, while in others, you may need to provide the absolute path to the file. If you’re unsure of the absolute path, you can contact your server provider for assistance.

Conclusion

After placing the .htpasswd file and modifying the .htaccess file, when attempting to access the backend by typing /wp-login.php directly or navigating to /wp-admin, the system will redirect to wp-login.php, where a login prompt will appear. If the username and password are entered incorrectly, access to the WordPress login page will be denied. This acts as an additional layer of protection.

The login prompt doesn’t protect against brute force attacks 100%. Some providers install Fail2Ban to enhance the system’s security. Fail2Ban monitors and blocks IPs that repeatedly attempt to attack or fail to log in, reducing the likelihood of successful brute force attacks.

Preventing brute force attacks is just one method to secure WordPress, but there are many other ways. If you’re interested, you can read more details here

Designil PDPA Banner Thai Woo AIO Banner

author - aum watcharapon
Aum Watcharapon
👨🏻‍💻 WordPress Expertiser

Subscribe to newsletter

doaction will send notifications when new articles are available on the website, and you can unsubscribe at any time.

More Articles

How Do Small Image File Sizes Affect SEO? And Popular Resizing Tools

Reducing image file sizes for use on websites significantly impacts Core Web Vitals scores, especially in terms of Largest Contentful Paint (LCP), which is a crucial metric that Google uses for SEO ranking. Largest Contentful Paint (LCP) measures the time it takes to load the main content of a web page, which includes images, videos, or large text blocks. If the images used on the website have too large file sizes, it will increase the loading time, resulting in a lower LCP score. There are various methods to compress image files, from reducing them before uploading to having the website handle them. Each method has its advantages and disadvantages and different tools. Popular image file formats for websites include older formats like JPG, JPEG, PNG, and GIF, which tend to have larger sizes. However, newer formats like SVG, WEBP, and AVIF have been developed, with AVIF and WEBP being modern file formats that offer many benefits suitable for website use.

Read more

Transform WordPress into a Backend with the Power of REST API

WordPress is not just a website creation system or content management tool, but also features an API that extends its capabilities for development and integration with other systems. Whether you want to build applications or connect with various services, WordPress API can help you. This article will introduce you to WordPress API and how to make the most of it.

Read more

If you have any questions or need advice about WordPress, feel free to ask.

Office

  • © do action co., ltd. 2024
    66 Soi Petchkasem 98/1, Petchkasem Road,
    Bangkhae Nuea, Bangkhae,
    Bangkok, Thailand
    10160
PDPA Icon

Our website uses cookies to enhance your user experience.

Privacy Preferences

คุณสามารถเลือกการตั้งค่าคุกกี้โดยเปิด/ปิด คุกกี้ในแต่ละประเภทได้ตามความต้องการ ยกเว้น คุกกี้ที่จำเป็น

Allow All
Manage Consent Preferences
  • Always Active

Save