Aim of this post is to elaborate how to protect your wp-login.php and wp-comments.php on Apache based servers so that you can not only secure them but also free up 50-90% server load.
Brute force attacks and bots
No matter how much you deny, your WordPress site is constantly under bots and bruteforce attack. The bots might just be trying to login to your admin or trying to post spam comments, even if you don’t have enough traffic.
What does it mean? It means most of the server resources are used by these bots and brute force attacks, ultimately slowing down your server speed and thus affecting your Search Engine Optimization. Not to mention, it also means a lot of spam or compromised admin panel if they succeed.
Which type of websites can be protected by this method?
This will help protect websites or blogs which are:
- On a apache based webserver
- Running WordPress (ofcourse)
- Preferrably user registration and login disabled (although can work on enabled too – but test thoroughly after protecting)
How to protect wp-login.php
For this purpose, make sure you have .htaccess enabled on your server. This is usually enabled on servers so simply continue the process and see if it works for you.
Please note, other plugins use the .htaccess too on WordPress including cache plugins, permalinks, etc. So back up your file before proceeding
How to backup .htaccess file
To protect the WordPress .htaccess file:
- Goto website root
- Copy the .htaccess file and rename the copy to backup.htaccess
- Keep the backup.htaccess file on server and/or on your local machine too
- You can also rename the backup file to the current date and/or time like 21122014.htaccess
How to protect wp-login.php using .htaccess
What we’re going to do is, we’ll add code to .htaccess that we want to password protect the wp-login.php file on this site.
So next time whenever the wp-login.php file is requested, the server will throw the login box.
- backup the .htaccess file as said above
- if you can’t find the .htaccess file, turn on hidden files and folders
- copy this code in your .htaccess file on top, separate from all other code blocks (if it has code in it already), don’t remember to add the passwd file (below) too.
ErrorDocument 401 default <FilesMatch "wp-login.php"> AuthUserFile "/home/path/.htpasswds/public_html/passwd" AuthType Basic AuthName "Admin" require valid-user </FilesMatch>
Please make changes to the code above.
Note that we’ve added ErrorDocument401 default. What this does is that when the authentication via .htaccess fails, the error don’t go to WordPress so that there is no loading of WordPress and thus no Load at all.
Check the “AuthUserFile” declaration. This is where our password for this login is. Make sure you add this file with the following code so that the authentication works.
The file looks like:
Whateverusername:themd5password
You can generate this md5 password file from: http://www.htaccesstools.com/htpasswd-generator/
Add the code generated by this site and save! Test by going to yoursite.com/wp-admin and it will ask you for htaccess authentication!
How is this login different and less / non resource heavy?
Well because it’s thrown by the server itself without running any php or WordPress even, which means no code has been run so far and no database connections and queries, a far far less load, infact almost no load at all.
Let me know if you have any queries or any difficultly setting up the protection for wp-login.php via comments.
Please elaborate how to make the file containing our password. I know about md5. What should be the file name(with its extension) and where to put it? root website folder?
Abid filename has to be “passwd” or anything you want (with or without file extension). You can have any directory path (better to have it in . / dot named folder like .htpasswds outside the main root directory. But make sure you add the same exact name in the .htaccess AuthUserFile, e.g.:
AuthUserFile “/home/path/.htpasswds/public_html/passwd”
done with this.. now new problem… when i go to mysite.com/wp-login.php it asks for username and password.. I put both correct then… Chrome shows me this message:
The webpage at mysite.com/wp-login.php has resulted in too many redirects. Clearing your cookies for this site or allowing third-party cookies may fix the problem. If not, it is possibly a server configuration issue and not a problem with your computer.
Please try these first and tell me the results:
1. try entering the wrong username / password, does it popup the login box again normally?
2. click cancel, which page it leads to and what does it say?
3. copy and paste your code block here please
well… the folder name i put earlier was /public_html/htpasswds/passcode which was actually incorrect.
Then i used the original one “/home/abidpasha/public_html/htpasswds/passcode” and it worked. below was the result with incorrect directory name (my problem is solved now) Thank you :)
1. I entered wrong id pw it replied with the same error “redirect loop”
2. I clicked “cancel” it replied:
Unauthorized
This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn’t understand how to supply the credentials required.
Thanks for updating and contributing, hope it will help others with similar error.