Protecting/Site Blocking Using .htaccess + .htpasswd

Another protection option is to set a password on the server to access the wp-login.php file.

The principle of operation is that when accessing the wp-login.php page, the user will be shown an additional authentication window where they need to enter a password to access wp-login.php (the appearance of the window depends on the browser).

login-w

If the password is entered correctly, the server allows access to the file, and then you can log in to WordPress as usual.

Steps:

Step 1: Create the .htpasswd file

In the root of your site, create a file specifying the login and password for access. You can specify multiple logins and passwords for different users:

kama:$apr1$Q9Gnetdv$pZyL9sGbN3ynC4k2oAZaQ.
andreas:$apr1$dHjB0/..$mkTTbqwpK/0h/rz4ZeN8M0
john:$apr1$IHaD0/..$N9ne/Bqnh8.MyOtvKU56j1

You can enter as many users as you want. Use special services to generate such strings, for example, this one.

Step 2: Include the .htpasswd file

Open the .htaccess file, which should be next to the .htpasswd file just created, and add the following code to it (anywhere):

<Files wp-login.php>
AuthName "Access Denied"
AuthType Basic
AuthUserFile /home/www/example.com/.htpasswd
require valid-user
</Files>

Don't forget to change the path to the file to /home/www/example.com

Done! Now try to log in to WordPress. You will see an additional window for entering the login and password. This protection will shield you from brute force attacks.

Nginx

You can also set up blocking at the Nginx level. To do this, you can use the following directives in the domain's configuration file:

  • auth_basic string | off;
  • auth_basic_user_file file;

Read more about the directives here.

Example of using directives:

server {
	listen 443 ssl http2;
	server_name example.com;

	# other directives...

	location / {
		auth_basic "Restricted Access!";
		auth_basic_user_file /etc/nginx/htpasswd_example.com;

		index index.php;
		try_files $uri $uri/ /index.php?$args;
	}

	# other directives...
}

Now in the file /etc/nginx/htpasswd_example.com, you need to specify the passwords. The file format is as follows:

# comment
name1:password1
name2:password2:comment
kama:$wet1$F4HT89kL$f0gEMNpFKZNH4VggDMYTm0

This example will password-protect the site for all requests to the site (except for static files).