Your WordPress dashboard is protected by WordPress using a simple username and password scheme. Hackers use the well known path to the wp-login.php page in an attempt to brute force attack your site and guess your credentials. Even if they never succeed they consume resources that could be put to better use, servicing real requests. The best way to protect yourself from such attacks is to add an additional layer of security. Instead of having WordPress service the initial authentication request we’ll add a new layer of authentication controlled by the web server. An added benefit to this set up is that you also protect your WordPress admin area from zero day vulnerabilities that might affect your site before it’s patched.

Adding Webserver Authentication Using Your Hosting Control Panel

  1. Login to your hosting control panel
  2. Under the “Files” section, select “Directory Privacy”.
  3. Once you are in the explorer window navigate to the directory where WordPress is installed, usually “public_html”, and select the “wp-admin” directory.
  4. Confirm the path of the directory is correct and tick the option “Password”protect this directory”. In the “Name” field use something like “Level One Protection”.
  5. Click the Save button.
  6. Create a username and password to access this directory. Click the back button and scroll down to the section “Create User”.
  7. Specify a username (e.g. levelone) and a password (let it choose a secure password for you) and  then click “Save”.
  8. Give the new security layer a try. Open up your WordPress dashboard (/wp-admin/ section). You should see a new front-end authentication window. Login in using the username and password you just created and you should be presented with the WordPress authentication screen.

Allowing Ajax Functionality

Some WordPress plugins need access to the admin-ajax.php file which is located in the wp-admin directory. To allow access to the file you can add the text below to the .htaccess file you just created.

<Files admin-ajax.php>
    Order allow,deny
    Allow from all
    Satisfy any
</Files>

To test whether any of your plugins use the admin-ajax simply password protect the wp-admin directory and confirm that the website is still fully functional. If not, allow access to admin-ajax.php file as suggested above. If needed open the .htaccess file using the “File Manager”. Note, you may need to click on the settings icon and enable “Show Hidden (dotfiles)” files to see the “.htaccess” file.