Enabling Two-step authentication for WordPress admin is one of the most important steps in securing your website. By default, WordPress provides a login-based authentication and authorization method.

Password protect wp-login.php

Password protecting /wp-admin/ itself can break some of the WordPress functionalities and plugins as they use AJAX. Still, with bypassing authentication for AJAX we can protect,/wp-admin/ but then the developers of WordPress suggest that protecting wp-login.php with a password is just sufficient.

Create password file: .htpasswd

Basically, it’s a simple authentication mechanism. We shall have the username and encrypted passwords in a simple text file. When the user enters the username and password, the web server encrypts the entered password and matches with the .htpasswd file. There are different methods to create the password file.

Create the password file using Apache Utilities

Many hosts provide tools to create the password file. You can use htpasswd command, shipped by httpd-tools package.

[root@ra ~]# htpasswd -c .htpasswd anu
New password:
Re-type new password:
Adding password for user anu

Generate the Password file online

You can also use an online htpasswd generator. Enter the username and password.

Once done, press Create .htpasswd file button. Then copy the text into .htpasswd file.

 

Create the password file using OpenSSL utilities

Let’s first add a username onto the file using the below command:

$ sh -c "echo -n 'anu:' >> .htpasswd"

Next, add an encrypted password for the above username using the below command. Enter the passwords when prompted.

$ sh -c "openssl passwd -apr1 >> .htpasswd"
Password:
Verifying - Password:

 

Enable Two-step Authentication for WordPress Admin in Nginx

In Nginx, the password protection is provided by HttpAuthBasicModule. Once you have created the password file (.htpasswd), you need to add directives to Nginx’s site configuration file within your domain server block as shown below:

location ^~ /wp-login.php {
 auth_basic "Restricted";
 auth_basic_user_file /etc/nginx/passwd;

 ## PHP Handler
 fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
 fastcgi_index index.php;
 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 fastcgi_param SCRIPT_NAME $fastcgi_script_name;
 include fastcgi_params;
}

Using auth_basic and auth_basic_user_file you are protecting the wp-login.php, but upon successful authentication, to process the PHP files you need to add the PHP Handler too.

Once you update, test your changes:

# nginx -t

Upon successful, reload the Nginx to apply the new configuration:

On CentOS 6.x and below

# service nginx reload

On CentOS 7.x and above

# systemctl reload nginx

Now navigate to wp-login.php or wp-admin file in the browser to see an additional protection.

Enable Two-step Authentication for WordPress Admin in Apache

Unlike Nginx, here you can configure either in Apache configuration file or just configure in .htaccess file.

Configure Password Protect to wp-login.php within .htaccess

Insert the below code in .htaccess file located in the WordPress directory.

<Files wp-login.php>
 AuthType Basic 
 AuthName "Restricted Content" 
 AuthUserFile /etc/httpd/.htpasswd 
 require user <username>
</Files>

Don’t forget to update the .htpasswd file location and the username in the above code.

Virtual Host configuration:

Make sure your domain virtual host configuration has AllowOverride all set for .htaccess to work.

Configure Password Protect to wp-login.php in Virtual Host

Open your domain virtual host configuration file and insert the below contents in red:

<VirtualHost *:80>
 ServerAdmin webmaster@localhost
 DocumentRoot /var/www/html
 ErrorLog ${APACHE_LOG_DIR}/error.log
 CustomLog ${APACHE_LOG_DIR}/access.log combined

<Directory "/var/www/html">
 Options Indexes FollowSymLinks
 AllowOverride All
 Require all granted
</Directory>
<Files wp-login.php>
 AuthType Basic
 AuthName "Restricted Content"
 AuthUserFile /var/www/html/wordpress/.htpasswd
 require user david
</Files>
</VirtualHost>

Don’t forget to update the .htpasswd file location and the username in the above code.

Once you update, test your changes:

# apachectl configtest
Syntax OK

Upon successful, reload the httpd to apply the new configuration:

On CentOS 6.x and below

# service httpd reload

On CentOS 7.x and above

# systemctl reload httpd

Now navigate to wp-login.php or wp-admin file in the browser to see a prompt requesting for username & password.


Was this answer helpful? 0 Users Found This Useful (0 Votes)