0

I'm running a small private wordpress blog and would like to protect the wp-login.php using .htaccess and .htpasswd. I'd like to be promoted by a additional password prompt when trying to access the wp-login.php file.

Using this in my .htaccess works but obviously makes my whole site.

 AuthName "Zugangpasswort"
 AuthType Basic
 AuthUserFile  (path)/.htpasswd
 require valid-user

But I can be sure everything points in the right direction. But after pointing to a given file, nothing happens.

<Files  wp-login.php>
 AuthName "Zugangpasswort"
 AuthType Basic
 AuthUserFile  (path)/.htpasswd
 require valid-user
</Files>

There is no kind of error message nor any password prompt when trying to access wp-login.php. Htaccess and htpasswd are in the same folder with the file I'm looking to protect. I cleared the browser cache and used private windows. Any ideas?

(I'm a complete newbie with all kind of this tings... Sorry, if I made a dumb mistake)

Newbie
  • 1
  • 1
  • I don't really understand why you'd want to protect that file this way. Wouldn't it make much more sense to protect the folder `wp-admin`? – arkascha Jul 17 '23 at 05:29
  • In your question it is unclear where "(path)/.htpasswd" points to. The documentation clearly states: "File-path is the path to the user file. If it is not absolute (i.e., if it doesn't begin with a slash), it is treated as relative to the ServerRoot.". You state that the ".htpasswd" and the ".htaccess" file are in the same folder. Are you sure that whatever "(path)" stands for is correct? (Assuming that you did not literally write "(path)" in your implementation ... – arkascha Jul 17 '23 at 05:29
  • 1
    Thanks for your input! I did not write path literally, but wrote the complete path. To test if I did it right, I tested it without pointing to the file and instead protected my whole site, an it worked. So I guess I can be sure to be using the right path there. – Newbie Jul 17 '23 at 08:51
  • #arkascha (to your first comment): protecting the folder "wp-admin" doesn't stop the bots from floating my login with attacks, which is my main goal for now. Additional steps to increase the overall security may be the next I'll try to achieve. – Newbie Jul 17 '23 at 08:59
  • OK, I understand what you are trying to achieve with password protecting the login page. BUT: That does not really solve the issue. Because bots can (and will!) still request that page, flooding your service. So what would you have gained? If you really want to reduce the number of such requests then you need to prevent the requests, not whether they get answered by wordpress or by the apache server. Sounds like a candidate for a knocking strategy on firewall level ... – arkascha Jul 17 '23 at 09:15
  • Ok, thanks. Can you give me a hint what to Google for so I can read a bit to understand what I could possibly do? – Newbie Jul 17 '23 at 09:27
  • I personally would look into two alternatives (though securing WordPress is something altogether impossible anyway ;-) ): 1. check whether you can rewrite the paths to the `wp-admin` section and the `wp-login.php` page. Bots typically operate blind, so simply test well known URL paths. So using _other_ , not well known paths has the same effect as operating services on other than well known ports: the majority of bots fails to see them. – arkascha Jul 17 '23 at 11:28
  • 2. Look for a "port knocking" approach. Similar to a password you'd have to legitimate access prior to reaching those paths. But bot requests are block on firewall level, not on service level. Which unburdens all of that from your actual service. And which is _much_ more efficient when it comes to network load. – arkascha Jul 17 '23 at 11:29
  • @arkascha: Thank you for taking the time pointing me in the right direction! – Newbie Jul 17 '23 at 11:57

0 Answers0