Security essentials: Password protect a directory and two-factor authentication on your WordPress site

In this article, I shall demonstrate how to password protect your self-hosted WordPress website from hackers and invalid login attempts. Are you searching for some additional protection for your website? Self-hosted WordPress have cPanel web hosting plan. CPanel hosting plan runs on Linux servers. Linux servers are secure. There are numerous tools available for you to secure your site and continue relentless online visibility. If your web hosting company use cPanel, then you have such tools available in the security segment of cPanel. In security segment of cPanel, you have to follow security tools.

1. Password Protect Directories
2. IP Deny Manager
3. Hotlink Protection
4. Leech Protect
5. GnuPG Keys
6. Modsec Manager

In WordPress wp-admin and wp-login.php are vulnerable areas. There are chances of unauthorized access to these areas from hackers. Too much flow of traffic can be considered as a brute-force attack; Brute-force attack slows down website and creates too much overflow of data on hosting. In this article, I shall show you how to completely lock down and password protect WordPress website. It provides two factor authentication for WordPress. In April 2013, most of WordPress (self-hosted) suffered from multiple brute force attack on wp-login.php scripts.

Wp-login.php and wp-admin directory is located at the root folder of a WordPress installation. It deals with a bridge between the front end server and the back end server. Front end server gives administrative access to the administrator to post, edit comment and so on. This is the most vulnerable part and it is wise to implement two-factor authentication systems in order to completely secure front end WordPress server from brute-force attacks.
Through “Password Protect Directories” we can implement password protection which permits you to require a username and password to access a specific folder within your site while accessing from web. Most vulnerable part of the WordPress site on the web is wp-login.php and wp-admin.php scripts.

It is not wise to protect every folder of the root directory of WordPress. WordPress installation is done in the root directory of hosting. After protecting both folders, you will also need to create permission for a user with a password to access such folder. In this way, specific public login folders get two-factor authentication with password protect administrative directories. You can rename the password protected directory and name, no matter what the real directory is called. When a user tried to access the protected directory through the internet, he/she will be encouraged to enter a username and password. With this option you can limit access to certain part of website from public access.

How to password protect WordPress logins?

Step 1. Login to cPanel from your hosting account. Under the ‘Security’ section, right click on “Password Protect Directories” and open in a new browser’s window.

Password Protect Directories

Password Protect Directories

Step 2. Click on the folder icon beside ‘public_html” directory.

public_html  directory

public_html directory

Step 3. Click on your link to ‘wp-admin’ directory.

wp-admin directory

wp-admin directory

Step 4. Check ‘Password protect this directory’. ‘Name the protected directory’ and then ‘Save’. When a user accesses the protected directory through internet, he/she will be presented with a popup message to enter a username and password. The name of the protected directory will appear.

Check ‘Password protect this directory’

Check ‘Password protect this directory’

Step 5. Scroll down from ‘Security Settings’ to ‘Create user’. Click on ‘Password Generator’ and copy your password. Check ‘I have copied this password in a safe place’. Put ‘Username’ and then put copied password to ‘New Password’ and then put that password again to ‘Password (Again) ’ and then click on ‘Add/modify authorized user’.

Add/modify authorized user’

Add/modify authorized user’

Step 6. ‘wp-admin’ is a password protect directory. A lock sign beside ‘wp-admin’ will be seen as proof of password protection directory. ‘wp-admin’ directory contains ‘wp-admin’ and ‘wp-login’ directory.

wp-admin is a password protect directory

wp-admin is a password protect directory

Step 7. Now, try to access your /wp-admin or /wp-login directory. Browser will ask you about ‘Authentication Required’. The server requires a username and password. Browser will prompt you for the password you just created. Type in your username and password and click on ‘Log In’

Authentication Required’

Authentication Required’

Step 8. Your general WordPress admin login page should now be visible. (Screenshot 8)

general WordPress admin login page

general WordPress admin login page

Conclusion: You should now have the password protected ‘wp-admin’, ‘wp-login’ and ‘wp-admin’ folder. All these important destinations of your website are now password protected with two factor authentication.

Related Post

This entry was posted in WordPress Security on by .

About Mohan Manohar Mekap

Mohan Manohar is a blogger from India who founded Ittech back in 2007. He is passionate about all things tech and knows the Internet and computers like the back of his hand.