Extra protection against brute force attacks

While WordPress has an authentication system of its own, some opt to add additional server-side password protection to /wp-admin/ using basic authentication. This prompts users for a username and a password before even allowing access to the admin files and WordPress authentication.

Password protecting wp-login.php is generally sufficient

WordPress cautions that password protecting /wp-admin/ itself can break some WordPress functionality and plugins using AJAX. While the password protection can be configured to allow AJAX to bypass authentication, they suggest that password protecting wp-login.php is sufficient for most cases.

Creating the password file: .htpasswd

Basic authentication requires a simple text file containing usernames and encrypted passwords.

username1:password1
username2:password2
username3:password3

The .htpasswd file should be placed somewhere outside of your site’s root directory. In my example, the WordPress files are in /srv/www/rudeotter.com/public/ so I’m creating my password file as /srv/www/rudeotter.com/.htpasswd.

Apache’s htpasswd command

If Apache was previously installed on your server, you may have the htpasswd command. Apache’s utilities can also be installed/reinstalled. Ubuntu users can install the package using

sudo apt-get install apache2-utils

To create a new password file:

htpasswd -c /srv/www/rudeotter.com/.htpasswd username1

If the file already exists drop the -c flag.

OpenSSL

A password file can be created manually by using the format shown above along with passwords hashed with OpenSSL.

openssl passwd

After entering and confirming your password, the hash will be returned and can be pasted into .htpasswd.

Web-based Tools

A number of web-based utilities exist to encrypt passwords or generate your entire .htpasswd.

No .htaccess used in Nginx

Rather than enter the authentication settings in .htaccess, we’ll add directives to Nginx’s site configuration file within a location block.

  • auth_basic
  • auth_basic_user_file

After updating your configuration files, test your changes:

sudo nginx -t

If the test is successful, reload Nginx to apply the new configuration

sudo service nginx reload

If you encounter an issue with PHP not being processed after adding authentication, take a look at your PHP handler directives.

Protect wp-login.php on Nginx

location /wp-login.php {
    auth_basic "Authorization Required";
    auth_basic_user_file /srv/www/rudeotter.com/.htpasswd;
    # PHP Handler
}

Replace # PHP Handler with the directives needed by your configuration to process PHP requests.

Protect WordPress admin directory on Nginx

Here admin-ajax.php is allowed to bypass the password authentication being applied to the rest of /wp-admin/.

location /wp-admin {
    location ~ /wp-admin/admin-ajax.php$ {
        # PHP Handler
    }
    location ~* /wp-admin/.*\.php$ {
        auth_basic "Authorization Required";
        auth_basic_user_file  /srv/www/rudeotter.com/.htpasswd;
        # PHP Handler
    }
}

Replace # PHP Handler with the directives needed by your configuration to process PHP requests.

%d bloggers like this: