Secure WordPress login and wp-login.php from brute force attacks
Secure the wp-login.php from hackers. If you run a blog with WordPress, you are often confronted with attacks from the internet. I show in this tutorial how you can increase the security significantly.
In the past months, it has become terrible with WordPress brute force attacks (trying all possible password variants). I’ve only really noticed this since I’ve had the Limit Login Attempts Reloaded plugin active with email notification. I get several to countless mails every day with the information that IP addresses have been blocked from my blogs. This is annoying and besides, wouldn’t it be better to not let these bots (robots are automated programs) get this far in the first place.
Secure the WordPress login and the wp-login.php so that bots and WordPress brute force attacks don’t have a chance anymore. With this solution, even multiple writers and WordPress multisite can access your website.
wp-login.php protection for multisite and multiple writers
But now I was facing a problem. I have external writers on my blogs which also change regularly. That’s why a lock on IP level or with .htaccess users is out of question. That would make maintenance way too cumbersome.
But now I have found another, very simple solution. I use a standard .htaccess user, which I also display in the login message on the screen. This is done very simply via AuthName. So, each of my writers can see how to log in, and the bots are locked out. They are only programmed to gain access via
The whole thing works fine. Since I have this solution online, no bot has made it to the WordPress login. This increases the security of my WP installations and saves a lot of system resources. Perfect!
With a copywriter I have also already played through the lock. No problem at all for her.
This is how it works
For this protection you need two files. Namely the .htaccess and the .htpasswd. The first file is already present in every WordPress system.
In the .htaccess you only have to insert the following code at the top:
# Sichere wp-login.php ‹Files wp-login.php› AuthName "Log in with user: secret and password: log in" AuthType Basic AuthUserFile /$path$/.htpasswd Require valid-user ‹/Files›
I just used “secret” as user and “login” as password. You can use this as it is, or change it as you like.
you have to replace$path$ with the absolute path to the WordPress directory. This could look like this:
You have to create the .htpasswd file and copy it to your WordPress root. So there where the .htaccess is located.
You can use the . htpasswd generator for free to encrypt your password. Paste the text from the Result field into the newly created .htpasswd file. With that, you are done.
Now here you can see how the additional login screen looks like:
Right in the window you can see the hint for the username and password for your authors and WordPress Multisite users.
So the WordPress login is secured from bots and still accessible for everyone.
Overall, it can be said that it is very important to secure the WordPress login, as it is the gateway for hackers and unwanted access to the website.
There are several options available for this, such as using strong passwords, login restrictions, using two-factor authentication and updating WordPress and plugins.
It is advisable not to use just one of these methods, but to combine several to ensure the highest level of security. Likewise, regularly check if there are any security vulnerabilities and fix them as soon as possible.
So, all in all, WordPress login security should become an integral part of the website security strategy.