How to Prevent Unauthorized WordPress Login AttemptsFebruary 23, 2017
These days, savvy hackers are always coming up with newer and better ways to try to get into the backends of websites to either steal sensitive information or just to wreak havoc on the site. That’s why it’s important for website developers to take the necessary steps to protect their websites and prevent any unauthorized login attempts.
In this guide, we’ll show you how to limit access to the wp-admin and wp-login.php.
Go to your Hosting cPanel account and log in.
Click on Directory Privacy under the Files Section.
Click on Settings.
Choose your domain from the Document Root drop-down menu in the pop-up box, the click on Save Changes.
Click on the wp-admin directory.
Check off the box beside Password protect this directory, name it, then save.
Click Go Back.
Click on Password Generator.
Copy the password from the small pop-up window, then check off I have copied this password in a safe place.
Type in your Username and click on Save.
Attempt to go in and access the wp-admin directory. The browser you are using will ask you for your password. Enter your username and password, then click Log In.
The regular WordPress admin login display should now come up.
Go to cPanel, and click on File Manager under the Files section.
Click on Settings.
Choose the Document Root for your website’s domain, then check Show Hidden Files, and click Save.
Expand public_html from the directory listing on the left side. Click on wp-admin and right-click on .htaccess. Click Code Edit, then click on Edit one more time to bypass the encoding pop-up.
Copy all the code found in the .htaccess file. Add the following code while this file is still open:
ErrorDocument 401 "Denied"
ErrorDocument 403 "Denied"
# Allow plugin access to admin-ajax.php around password protection
Allow from all
AuthName "Secure Area"
Click on public_html from the directory listing on the left side. Right-click on the .htaccess file, and click on edit.
Paste the .htaccess code that you copied earlier, and paste it in between
FilesMatch tags. Click Save Changes.
At this point, you’ll have the /wp-admin/.htaccess file that offers password protection to the /wp-admin directory. If an unauthorized person tries to login directly from wp-admin.php, they’ll be prompted to enter valid credentials. If they don’t have them and enter invalid credentials, they will receive an Authorization Required error message. and won’t be able to directly access your wp-admin.