How to Secure the WordPress Login Page


Σ Sigma Hosting is mainly a video tutorial website

Σ Sigma Hosting is mainly a video tutorial website that make it easier for you to search within the transcript of videos for solutions of problems you might face during your journey in dealing with different webhosting companies. So, we are very sorry if the text is not well organized and we may work on it in the future but for now we hope you get the benefit mainly from the video then you may need to have a look on the transcript. Thanks for your understanding 🙂

hi my name is Andy mellecker and I'm the community manager for a2 hosting com in today's tutorial we're going to look at a couple of different ways that you can secure your wordpress login page this is a page that hackers and bots will often use to try and gain access to your WordPress site we can lock this down in a couple of different ways the first way is we can restrict access to this page by limiting it just to your IP address of your specific computer the other way that we can lock it down is we can add an additional login and password with an htaccess file which will require you to log into the server actually before you can even get to this page to log into WordPress so the first thing that we'll look at is actually how to lock this down by IP address now one of the key things you want to keep in mind is if you're using a service like CloudFlare or some other CDN service you probably won't be able to use this because all of the traffic coming in from CloudFlare is going to have a different IP address than the person who's actually trying to access the site so you don't want to use this if you are using any of those services you'll want to use the other method that will talk about here in a little bit if you're not using one of those you can do this it's really easy and it's a quick way to to lock this page down one of the other caveats though is that IP addresses are pretty easy for people to spoof and so it's not a fail-safe it's not a completely foolproof method but it still does make it quite a bit harder for people to access your site so the first thing that we need to do is we need to create an htaccess file and we need to put some rules in there that limit our access to this page to only one site so I'm going to open up my text editor and I'm going to go down into my wordpress folder and open up the htaccess file which at the moment is blank so I need to pay some rules in here if you go to the kb article that we have listed here you'll see the code snippet that we're using i'm going to copy that and paste it down here into my text editor basically this rule just says if anybody tries to access the WP login dot PHP file they have to come from this specific IP address right now we just have X's in there so we need to change that to the IP address of the computer that I'm current using so I do that with a tool just called what's my IP address if you go out to what's my IP org it'll give you your current IP address of the computer that you're using so I'm just going to copy that then go back into my text editor and paste that on top of the exes there now once I save this file then any access to that WP login dot PHP page has to come from this IP address so since I'm already using that IP address we're not going to see anything different if I go to this page and refresh it it'll take a second to load and then it'll it'll let me in so what I'm going to do is I'm going to go turn on my VPN and we'll see what happens when I access this from another IP address ok now I've connected to my VPN so I'm going to refresh this page and I should get an error and there we go it says forbidden so that's what anybody else will see if they try and access this site if they're not coming from that IP address so next we'll take a look at how we can limit this down to requiring an additional login and password the first thing we need to do for this method is we need to create an HT password file this is a file that Apache uses to authenticate somebody against a page so we're going to go to a site called HT HT access tools you'll see that link there in the youtube and also in our kb article and here you just want to enter in a login and a password that you want to use now don't use your wordpress login and password use something different so that there is additional authentication if you use the same login and password there really is no point in doing this so i'm going to create a login for myself and create a password and then just hit that button that says create HT password on the next page you'll see it's generated a line of text there that has my login and the encrypted password so i'm going to copy that and then i'm going to switch back over to my text editor and we're going to go to the top level of my hosting account so i'm going to click on the a2 hosting demo and then we're going to create a new file we're going to name this dot WP dash password and all this file does is it stores that line of text with our login in our password so I'll paste that in there and we'll hit save so next we need to open up that HT Access file for WordPress which i already have open I'm going to delete the rules for the IP address we're going to use a different set of rules for this particular method and again the code snippet for this is in the kb article that we have linked here so i'll copy that and we're going to paste that into this htaccess file so the first rule here just says that apache is not going to serve up any requests for a dot HT file so it will prevent anybody from trying to open up this file or the password file the next thing that we do is we just set a couple of error documents so that way if somebody does not log in correctly they'll receive a non an authorizer forbidden error the next set actually sets the rules for using that WP login file it says that we have to use an authorization user file and that files listed there and then it's going to prompt us the police log in and require a specific user in order to gain access to that WP login page so we have to change a couple of things here the first thing we have to do is we have to change this off user file to have our username 4482 hosting account this is the same as your cPanel login it's the same thing you log into with FTP or with ssh so I will put that in there and then the next thing we have to do is we have to specify a required user so this is the same username that you created on that HT access tool site so I'll go ahead and type mine in there and then we'll hit save so now at this point if I go back over to my wordpress login and refresh the site refresh the page it should ask me for a login and a password which it does so I'm going to type in the wrong thing first you can see that it just pops up again and asked me to login again so now i'm going to type in the correct login and password you can see that it refreshes and takes me to my login page so now you have two logins and passwords at this point i'll have two is still enter in my wordpress login and password in order to get further into the site this method is a little bit more so cure than the IP address method because you're generating the login and password so unless you tell that to somebody it's a lot harder for them to guess that and then it does add that additional layer because you have two different sets of credentials that you have to use to get into your WordPress site so here are two simple methods that you can use to secure this very easily they have a lot of other tutorials on different things you can do to secure your WordPress site visit 82 hosting com / kb to view those tutorials or look on our youtube page thanks and they have a great day you .

Video Discription

This tutorial will walk you through two methods of securing the WordPress login page from unauthorized access.



Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button