Aim of this post is to elaborate how to protect your wp-login.php and wp-comments.php on Apache based servers so that you can not only secure them but also free up 50-90% server load.
Brute force attacks and bots
No matter how much you deny, your WordPress site is constantly under bots and bruteforce attack. The bots might just be trying to login to your admin or trying to post spam comments, even if you don’t have enough traffic.
What does it mean? It means most of the server resources are used by these bots and brute force attacks, ultimately slowing down your server speed and thus affecting your Search Engine Optimization. Not to mention, it also means a lot of spam or compromised admin panel if they succeed.
Which type of websites can be protected by this method?
This will help protect websites or blogs which are:
- On a apache based webserver
- Running WordPress (ofcourse)
- Preferrably user registration and login disabled (although can work on enabled too – but test thoroughly after protecting)
How to protect wp-login.php
For this purpose, make sure you have .htaccess enabled on your server. This is usually enabled on servers so simply continue the process and see if it works for you.
Please note, other plugins use the .htaccess too on WordPress including cache plugins, permalinks, etc. So back up your file before proceeding
How to backup .htaccess file
To protect the WordPress .htaccess file:
- Goto website root
- Copy the .htaccess file and rename the copy to backup.htaccess
- Keep the backup.htaccess file on server and/or on your local machine too
- You can also rename the backup file to the current date and/or time like 21122014.htaccess
How to protect wp-login.php using .htaccess
What we’re going to do is, we’ll add code to .htaccess that we want to password protect the wp-login.php file on this site.
So next time whenever the wp-login.php file is requested, the server will throw the login box.
- backup the .htaccess file as said above
- if you can’t find the .htaccess file, turn on hidden files and folders
- copy this code in your .htaccess file on top, separate from all other code blocks (if it has code in it already), don’t remember to add the passwd file (below) too.
ErrorDocument 401 default <FilesMatch "wp-login.php"> AuthUserFile "/home/path/.htpasswds/public_html/passwd" AuthType Basic AuthName "Admin" require valid-user </FilesMatch>
Please make changes to the code above.
Note that we’ve added ErrorDocument401 default. What this does is that when the authentication via .htaccess fails, the error don’t go to WordPress so that there is no loading of WordPress and thus no Load at all.
Check the “AuthUserFile” declaration. This is where our password for this login is. Make sure you add this file with the following code so that the authentication works.
The file looks like:
Whateverusername:themd5password
You can generate this md5 password file from: http://www.htaccesstools.com/htpasswd-generator/
Add the code generated by this site and save! Test by going to yoursite.com/wp-admin and it will ask you for htaccess authentication!
How is this login different and less / non resource heavy?
Well because it’s thrown by the server itself without running any php or WordPress even, which means no code has been run so far and no database connections and queries, a far far less load, infact almost no load at all.
Let me know if you have any queries or any difficultly setting up the protection for wp-login.php via comments.