Password protect WordPress login – wp-login.php

What is password protection?

It’s a smart feature to protect directories against accessing it from unauthorised users. In a cPanel server, we can simply create password protected directories via the control panel (Home >> Security >> Password Protect Directories). If we enable this feature, the system will prompt all users accessing that particular directory with a user name and password window. This provide a second layer of protection to our account on internet. Here I explain, how we can protect the WordPress login page from Brute Force Attack!

Why this topic?

Simply to save your accounts resources 😛 Chance of login attacks are high on WordPress websites as it has a known login page wp-login.php under the installation folder. A DoS to this page can slowdown your website and consume resources. If your WordPress domain is hosted in a CloudLinux platform, you will definitely face the “508 Resource Limit Is Reached” error on your web-page. Here we are going to protect the login page against Brute Force Attack. The steps are simple:

Creating “.htpasswd” file

Yeah, to do password protection first you need to create a .htpasswd file to store the secret authentication details. There are different options available to create this. In a cPanel server, we can create it from the control panel itself. Otherwise you can create this from this online tool >> HTPASSWD GENERATOR << The generated password must be in encrypted form. Then upload the file to your home directory, a best location should be in “/home/user/.htpasswds/public_html/test/wp-admin/“.

File name :: /home/user/.htpasswds/public_html/test/wp-admin/passwd

Then place the code in the WordPress installation directory


Append the code pasted below into the .htaccess file under WP installation directory.

# copy this code to .htaccess,
# To prevent loops

ErrorDocument 401 default

# Protect wp-login
<Files wp-login.php>
AuthUserFile /home/user/.htpasswds/public_html/test/wp-admin/passwd
AuthName "Private access"
AuthType Basic
require valid-user

NB : “ErrorDocument 401 default” this line will help you to avoid redirection error.

The above steps will re-prompt the login page:


That’s it!

Also read;

How to reset WordPress admin/users password from Linux command line?
Database Upgrade Required – a detailed view!

Post navigation

Arunlal Ashok

DevOps Engineer. Linux lover. Traveller.
Always happy for an open discussion! Write to arun ((@)) crybit ((dot)) com.

3 thoughts on “Password protect WordPress login – wp-login.php

  1. I was breaking my head here. I was having redirection problems. I insert “ErrorDocument 401 default” and it’s working.

    Thank you.

  2. Hi i am facing resource limit issue in my share hosting . domain name is
    our daily visitors are max 60 , which is nothing . but still we have an resource limit issue. we have WP website
    can any one help

Leave a Reply

Your email address will not be published. Required fields are marked *