Protecting/Site Blocking Using .htaccess + .htpasswd
Another protection option is to set a password on the server to access the wp-login.php file.
The principle of operation is that when accessing the wp-login.php page, the user will be shown an additional authentication window where they need to enter a password to access wp-login.php (the appearance of the window depends on the browser).
If the password is entered correctly, the server allows access to the file, and then you can log in to WordPress as usual.
Steps:
Step 1: Create the .htpasswd file
In the root of your site, create a file specifying the login and password for access. You can specify multiple logins and passwords for different users:
kama:$apr1$Q9Gnetdv$pZyL9sGbN3ynC4k2oAZaQ. andreas:$apr1$dHjB0/..$mkTTbqwpK/0h/rz4ZeN8M0 john:$apr1$IHaD0/..$N9ne/Bqnh8.MyOtvKU56j1
You can enter as many users as you want. Use special services to generate such strings, for example, this one.
Step 2: Include the .htpasswd file
Open the .htaccess file, which should be next to the .htpasswd file just created, and add the following code to it (anywhere):
<Files wp-login.php> AuthName "Access Denied" AuthType Basic AuthUserFile /home/www/example.com/.htpasswd require valid-user </Files>
Don't forget to change the path to the file to /home/www/example.com
Done! Now try to log in to WordPress. You will see an additional window for entering the login and password. This protection will shield you from brute force attacks.
Nginx
You can also set up blocking at the Nginx level. To do this, you can use the following directives in the domain's configuration file:
- auth_basic string | off;
- auth_basic_user_file file;
Read more about the directives here.
Example of using directives:
server { listen 443 ssl http2; server_name example.com; # other directives... location / { auth_basic "Restricted Access!"; auth_basic_user_file /etc/nginx/htpasswd_example.com; index index.php; try_files $uri $uri/ /index.php?$args; } # other directives... }
Now in the file /etc/nginx/htpasswd_example.com
, you need to specify the passwords. The file format is as follows:
# comment name1:password1 name2:password2:comment kama:$wet1$F4HT89kL$f0gEMNpFKZNH4VggDMYTm0
This example will password-protect the site for all requests to the site (except for static files).
—