One of the most effective ways of locking out intruders from potentially gaining access to your WordPress admin area is by introducing a first level login which in most cases completely deters brute force attacks. Please follow the steps below to better protect your WordPress site!
*Note, $CPUSER represents your cPanel username, make sure to replace it.
- Log into cPanel.
- Click on "Directory Privacy"
- Select "public_html" from the list.
- The new screen at the top will say "Set permissions for /home/$CPUSER/public_html/" We are not actually password protecting this folder, only using this screen to create your username/password for the protection.Go down to the "Create User" section and fill in the username / password you want to use for the protection, once done click Save.
- At the top left, click on the "Home" icon to get back to the main cPanel screen, once there click the "File Manager" icon. * On the left hand side, Select /home/$CPUSER where $CPUSER is the name of your account.** Click the Settings button at top right and Check "Show Hidden Files (dotfiles)."
- You should now be in /home/$CPUSER, look for a file called .htaccess, if it doesn't exist, create it(include the period) if it does exist right click on it and select "Edit" and enter the following inside:
<FilesMatch "wp-login.php">
AuthType Basic
AuthName "Secure Area"
AuthUserFile "/home/$CPUSER/.htpasswds/public_html/passwd"
require valid-user
</FilesMatch>
ErrorDocument 401 default
7. In the above file change the $CPUSER in /home/$CPUSER/.htpasswds/public_html/passwd to match your cPanel username.Save and exit.
Now anytime you go to your WordPress admin side you will first be prompted for your username / password you created in step 3. You can however in most browsers save this login so you can bypass it after the initial login.