WordPress wp-login.php schützen

Secure WordPress login and wp-login.php from brute force attacks

Secure the wp-login.php from hackers. If you run a blog with WordPress, you are often confronted with attacks from the internet. I show in this tutorial how you can increase the security significantly.

In the past months, it has become terrible with WordPress brute force attacks (trying all possible password variants). I’ve only really noticed this since I’ve had the Limit Login Attempts Reloaded plugin active with email notification. I get several to countless mails every day with the information that IP addresses have been blocked from my blogs. This is annoying and besides, wouldn’t it be better to not let these bots (robots are automated programs) get this far in the first place.

wp-login.php protection for multisite and multiple writers

But now I was facing a problem. I have external writers on my blogs which also change regularly. That’s why a lock on IP level or with .htaccess users is out of question. That would make maintenance way too cumbersome.

But now I have found another, very simple solution. I use a standard .htaccess user, which I also display in the login message on the screen. This is done very simply via AuthName. So, each of my writers can see how to log in, and the bots are locked out. They are only programmed to gain access via wp-login.php-Datei.

The whole thing works fine. Since I have this solution online, no bot has made it to the WordPress login. This increases the security of my WP installations and saves a lot of system resources. Perfect!

With a copywriter I have also already played through the lock. No problem at all for her.

This is how it works

For this protection you need two files. Namely the .htaccess and the .htpasswd. The first file is already present in every WordPress system.
In the .htaccess you only have to insert the following code at the top:

# Sichere wp-login.php
‹Files wp-login.php›
AuthName "Log in with user: secret and password: log in"
AuthType Basic
AuthUserFile /$path$/.htpasswd
Require valid-user

I just used “secret” as user and “login” as password. You can use this as it is, or change it as you like.

See also
WordPress Backup and Malware Removal with BlogVault

you have to replace$path$ with the absolute path to the WordPress directory. This could look like this: /home/web15/public_html/

.htpasswd generieren lassen
generate .htpasswd

You have to create the .htpasswd file and copy it to your WordPress root. So there where the .htaccess is located.

You can use the . htpasswd generator for free to encrypt your password. Paste the text from the Result field into the newly created .htpasswd file. With that, you are done.

Now here you can see how the additional login screen looks like:

.htaccess Login
Screen before the WordPress login

Right in the window you can see the hint for the username and password for your authors and WordPress Multisite users.

So the WordPress login is secured from bots and still accessible for everyone.


The .htaccess password protection can also be used to protect individual files. But the password must be encrypted. Use the password generator for this.


Overall, it can be said that it is very important to secure the WordPress login, as it is the gateway for hackers and unwanted access to the website.

There are several options available for this, such as using strong passwords, login restrictions, using two-factor authentication and updating WordPress and plugins.

It is advisable not to use just one of these methods, but to combine several to ensure the highest level of security. Likewise, regularly check if there are any security vulnerabilities and fix them as soon as possible.

So, all in all, WordPress login security should become an integral part of the website security strategy.

Leave a Reply

Your email address will not be published. Required fields are marked *