WordPress Wednesday: Extra Login Security with .htpasswd

Geek Factor: 4

We’ve written before about various ways to tighten up your WordPress security; in this week’s WordPress Wednesday, we’re going to cover how to add another layer of security to the WordPress login screen using .htpasswd.

.htpasswd can be used to create basic authentication on Apache servers by storing usernames and encrypted passwords. By using .htpasswd and .htaccess, we can require users to enter a basic username and password combination before they can access WordPress’s login screen. This may seem a bit redundant, but it prevents bots from being able to access the WordPress login screen, making brute-force attacks near impossible. As most browsers remember .htpasswd authentication for a period of time, it also means users shouldn’t have to log in twice every time they access the site.

Each WordPress install should already include an .htaccess file, but you will need to create a .htpasswd file to add to your site.

There are many ways to add .htpasswd to your server; we’re going to go through a basic set-up manually creating the files and adding them to the site using FTP.

First, create a text file and name it htpasswd.txt. As .htaccess and .htpasswd files are invisible files, you will need to have invisible files set to visible on your computer to see them. Creating the files in the .txt format ensures we won’t lose track of the file before uploading it to the site.

Next, select a username and password. The password will need to be encrypted — this can be done using an .htpasswd generator tool to format the password correctly. For the below example, we’re using username/password as our username and password:

The generator will create a string of text in a format similar to this, with the username and encrypted password separated by a colon:

username:$apr1$n07zM4Dw$MT/fHlVqvzII2IRNUHEt71

Copy the generated line of text into your htpasswd.txt file and save it. It’s recommended that you record your username and password combination somewhere safe.

Next, upload the htpasswd.txt file to the root of your WordPress installation, which will be the same location as your .htaccess file. Rename the file to ‘.htpasswd‘.

Now the .htaccess fill will need to be edited. It is necessary to set your FTP software to view invisible files so you can find the .htaccess file.

First, make a backup of your .htaccess file, just to be on the safe side. Next, copy and paste the below code to your .htaccess file, underneath the line that says # END WordPress:

[php] AuthType Basic AuthName "Please enter your username and password:" AuthUserFile /path/from/server/root/public_html/.htpasswd [/php]

You will need to update the AuthUserFile value to match the path from your server root to the .htpasswd file.

Optionally, you can also update the AuthName value — this is the text that will appear in the login prompt.

Next, we’ll need to specify what files or folders the .htpasswd file applies to. In our case, we want to make the file wp-login.php password protected. The following code goes below the AuthUserFile path in your .htaccess file:

[php] Require valid-user [/php]

You may have additional code in your .htaccess file, but the end result will look something like this:

[php] # BEGIN WordPress RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] # END WordPress AuthType Basic AuthName "Please enter your username and password:" AuthUserFile /path/from/server/root/public_html/.htpasswd Require valid-user [/php]

Now test the .htpasswd file by going to your website’s login screen — you can access it by going right to /wp-login.php, or using /wp-admin. Each browser will render the password prompt differently, but what you will see should be similar to the following:

It is possible to create multiple username and password combinations in your .htpasswd file; you just need to put each entry on a separate line. As WordPress users will already each have their own accounts, it’s probably not necessary for this kind of set up.

Of course, this is just scratching the surface of what you can do with .htpasswd and .htaccess. Do you use .htaccess to enhance your WordPress installation in any way? Share your set-up in the comments below!

Leave a Comment

Note: Fields marked with a * are required; email addresses are not published.

Legal FAQ Collections