Another layer of security for WordPress

A simple way of deflecting brute-force attacks is to require an additional password to access the WordPress login screen. Lots of security plugins will do this for you, but again, sometimes it’s better to DIY.

I put a .htaccess file in the wp-admin directory and that almost completely worked, but mystifyingly, and irritatingly, there would be regular failed login attempts. Not very often. About very 20 minutes or so. But I was irked (I tell you), as I couldn’t work out why they were happening.

My .htaccess file looked a bit like this:

<RequireAll>
AuthName "my site"
AuthType Basic
AuthUserFile <myauthfile>
Require valid-user
</RequireAll>

A few searches made references to differences between apache 2.2 and 2.4, and I thought that perhaps it was a syntax thing. But that didn’t seem to be it.

I did two things in the end, so I’m not sure what fixed it.

  1. I modified the .htaccess entry to specifically reference the file wp-login.php.
  2. I moved the .htaccess file to the parent directory.

So the relevant code looks something like:

<FilesMatch "wp-login.php">
AuthType Basic
AuthName "Secret stuff"
AuthUserFile <my auth file>
Require valid-user
</FilesMatch>

(Visited 3 times, 1 visits today)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.