All Collections
cPanel and WebHost Manager (WHM)
Password protecting WordPress using cPanel and .htaccess
Password protecting WordPress using cPanel and .htaccess
Justin Catello avatar
Written by Justin Catello
Updated over a week ago

One of the most effective ways of locking out intruders from potentially gaining access to your WordPress admin area is by introducing a first level login which in most cases completely deters brute force attacks.  Please follow the steps below to better protect your WordPress site!

*Note, $CPUSER represents your cPanel username, make sure to replace it. 

  1. Log into cPanel

  2. Click on "Directory Privacy"

  3.  Select "public_html" from the list. 

  4. The new screen at the top will say "Set permissions for /home/$CPUSER/public_html/" We are not actually password protecting this folder, only using this screen to create your username/password for the protection.Go down to the "Create User" section and fill in the username / password you want to use for the protection, once done click Save.

  5. At the top left, click on the "Home" icon to get back to the main cPanel screen, once there click the "File Manager" icon. * On the left hand side, Select /home/$CPUSER where $CPUSER is the name of your account.** Click the Settings button at top right and Check "Show Hidden Files (dotfiles)."

  6. You should now be in /home/$CPUSER, look for a file called .htaccess, if it doesn't exist, create it(include the period) if it does exist right click on it and select "Edit" and enter the following inside: 

<FilesMatch "wp-login.php">
AuthType Basic
AuthName "Secure Area"
AuthUserFile "/home/$CPUSER/.htpasswds/public_html/passwd"
require valid-user
ErrorDocument 401 default

7. In the above file change the $CPUSER in /home/$CPUSER/.htpasswds/public_html/passwd to match your cPanel username.Save and exit.

Now anytime you go to your WordPress admin side you will first be prompted for your username / password you created in step 3.  You can however in most browsers save this login so you can bypass it after the initial login.

Did this answer your question?