Table of Contents [TOC]
WordPress is the most popular content management system in the world that gave exposure to millions of blogging websites. One of the simplest and reliable platform to start up your business with. But WordPress security is a major concern for all business owners nowadays.
Around 90,000 hack attempts are made every day on WordPress websites which is a huge count. Whether a smart hacker or a bad player is trying to take over the complete access on your website, there are several methods to break into a WordPress site.
Here’s what you can do about adding password protection to your site. (1) Password protect your entire site, (2) password protect a specific post or page, (3) hide part of a post that would otherwise be public.
In this guide, you will learn everything about How to Password Protect A WordPress Site? protect WordPress page with a password? How to protect it from unauthorized access & prevent WordPress Hacking. We will see how to protect WordPress with a password so that the platform is 100% private
There are multiple reasons why protecting WordPress with a password is a good idea. For example, imagine that instead of making changes to a local server or a development server, for convenience, you want to implement them in the final hosting of the website.
So that visitors who can access do not see the web in production, you can choose to protect it with a password so that only you can enter.
Or for example, imagine that your website belongs to a private club, and you only want the content of the website to be shown to those who have a password provided by the administrator of the same. For this, we would also need to protect WordPress with a password.
These are only two cases, but there are a thousand more reasons:
In this tutorial, we will show you how to protect your WordPress with a password so that only you can access it.
Suggested Reading – WordPress Passwordless Authentication – Login Form & Plugins
You can password protect a WordPress page so that the general public cannot see it. This will prevent most Internet users from easily finding it or viewing its content.
However, this method does not prevent the page from being indexed by search engines. It also does not encrypt the content of the page. Therefore, you should not use this method for page content that you absolutely must keep private.
To password protect a WordPress page, follow these steps:
Also Read – How to Block Countries In WordPress Using IP Address?
With Basic HTTP authentication (aka htpasswd protection), you can add an extra layer of password protection before people can even load your site, which is why it’s a great option for web sites. development. or development sites.
To set up htpasswd protection, create a file with the name in any text editor .htpasswd and store it in the directory that is to be protected or contains the file to be protected. In the .htpasswdfile you enter the username and password in encrypted form (md5, sha1 or crypt). It is best to use a generator to generate this coded password.
For example, if the user named mysite the .htpasswdfile looks like this:
mysite:$apr1$MvhtEwWO$.Ro5NOQNw9tAtZns8UOl20
Once activated, your WordPress site will require authentication to access it. You can change the credentials at any time or turn them off when you no longer need them.
Also Read – 12 Best WordPress Staging Plugins To Create A Test Site [2024]
If you are on shared hosting, then you will probably have cPanel. The good news is that cPanel offers a utility called Directory Privacy; from there you can set a password for the directory.
Also Read: What Is WP-Content Uploads & How To Protect WordPress Directory ?
Now that we have a file with our users and passwords in an Nginx readable format, we need to configure Nginx to verify this file before delivering our protected content.
First, open the server block configuration file to which you want to add a restriction. For our example, we’ll use the server blocking file + defaultinstalled through the Ubuntu Nginx package:
sudo nano /etc/nginx/sites-enabled/
Inside, with the comments stripped down, the file should look like this:
/ etc / nginx / sites-enabled / default
server
{
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
root /usr/share/nginx/html;
index index.html index.htm;
server_name localhost;
location / {
try_files $uri $uri/ =404;
}
}
To configure authentication, you must choose the context to restrict. Among other choices, Nginx allows you to set restrictions at the server level or at a specific location. In our example, we’ll restrict the entire document root to a location block, but you can modify this list to only target a specific directory in the web space:
In this location block, use the directive + auth_basic +to enable authentication and choose a domain name to display to the user when requesting credentials. We will use the directive + auth_basic_user_file +to point Nginx to the password file we created:
/ etc / nginx / sites-enabled / default
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
root /usr/share/nginx/html;
index index.html index.htm;
server_name localhost;
location / {
try_files $uri $uri/ =404;
}
}
Save and close the file when you are finished. Restart Nginx to implement your password policy:
sudo service nginx restart
The directory you specified should now be password protected.
Also Read – Whitelist IP Address in WordPress To Restrict Login Access
Protecting folders or files accessible via HTTP with a password allows adding a layer of security on a web server. It can be done using any content manager such as WordPress or Drupal in a trivial way, however doing it directly using the web server, Apache, in this case, avoids running PHP and saves hardware resources. This is especially useful if you are trying to avoid a brute force attack.
To protect files or directories under password in Apache it can be done in Apache global configuration files or using htaccess and htpasswd files. The second way is discouraged for performance and security reasons, so the first way is explained here on an Apache 2.4 web server running on Debian Jessie.
The first way requires access to the Apache configuration files.
In this case, access will be configured through a username and password, and these will be saved in a plain text file. For this we need the following Apache modules to be active:
mod_auth_basic
authn_file
mod_authz_user
authn_core_module
authz_core_module
In the Apache documentation, there is a description of the necessary modules if you want to enable access by hostname or IP or host the passwords in another way.
To check that the modules are active you can run:
Let’s implement Basic Authentication in Nginx as follows.
We will take help from Apache Utils to generate the credentials. If Apache HTTP is not installed on the server, you need to install the utils separately as below. If in doubt, you can run htpasswd to see if it works.
CentOS / RHEL 8
dnf install httpd-tools
CentOS / RHEL 7
yum install httpd-tools
Ubuntu
apt-get install apache2-utils
Let’s create the credentials like we did in Apache.
htpasswd -c /etc/nginx/.htpasswd user1
Don’t forget to replace user1 with the real username you want
Next, we need to configure Nginx, so that it limits the particular URI with the password.
Suppose we need to protect /adminURIs
Add the following in nginx.confor any other active Nginx config file
location /admin {
auth_basic “Admin Area”;
auth_basic_user_file /etc/nginx/.htpasswd;
}
Restart Nginx
What if you need to restrict the serving of the entire website through Nginx?
Easy!
Add the following in nginx.conf or in the active config file under location / {directive
auth_basic “Admin Area”;
auth_basic_user_file /etc/nginx/.htpasswd;
A functionality that often goes unnoticed in WordPress is the publication of password-protected posts or pages that can only be read by users who have this “master” key to consult it.
This option was integrated some time ago and since then surely many WordPress site administrators use it and for many others, it goes unnoticed and they resort to plugins, increasing the site load.
Applying passwords to posts and posts is a very simple process that will hardly take you more than a couple of seconds when you write the post or later, and that can be a solution for blogs or news websites that build customer loyalty through more publications. exclusive.
After protecting a post with a password, what the reader will see when accessing to read it will be a warning and a field in which to write the password if he has one.
There are plugins that will help you password protect only a particular section of a post. Here is a popular plugin that will help you deal with that.
Finally, we will look at one of the easiest ways to password protect just a portion of an otherwise-public WordPress post. To set up this functionality, you can use the free Passster plugin . If you’re looking for options to partially protect your content, look no further. This plugin helps you protect parts of your WordPress posts using passwords and CAPTCHA. It is useful to generate shortcodes in which you can embed the content to be protected. For each shortcode, you can customize the title, instructional text, placeholder, and button text. The Passster plugin supports some of the popular page builder plugins like Elementor, Beaver Builder, etc.
The default option to password protect WordPress content can come in handy when your site’s content is minimal. However, it can get pretty painful if your site has a lot of content. In such a scenario, the password protecting a category will be more effective. All positions in this category will have selective access in this way. Let’s see how you can password protect WordPress categories.
This is a simple password that will help you restrict user access to posts based on the categories they are included in. The plug-in allows you to specify the categories to be restricted and set a password. When users try to access the content or snippet, the plug-in asks for a form asking for the password. You can also set the text for the description of the feeds generated by WordPress.
In addition, the plugin allows you to give access to certain users without entering the password. You can also set a message informing users to use the password to access the content. You can also configure a message when users enter the wrong keyword. In addition, you can define whether the snippet of the content should be displayed or not.
The plugin is relatively more secure because it uses PHP sessions instead of cookies to validate logged in users. In addition, the plug-in encrypts the password and filters the content of the normal stream to avoid displaying restricted content.
<h3>How to password protect your entire WordPress site</h3>
There is no default option on WordPress to protect the entire site with a password. You will need to use a third-party plugin to manage this on your site.
Now let’s take a look at two popular plugins that you can use to password-protect the entire WordPress site.
Used to Password Protect WordPress forms
Form Locker addon wordpress plugin allows you to password protect your forms. This is ideal if you want to run a private survey, or restrict access to your contact form to only specific people.
How does it work?
When a user tries to access one of your protected forms, they will be prompted for a password before the form is displayed:
Schedule Your Form
You can also schedule when you would like your form to be accessible. For instance, you can make it so that the form is only available on a certain date and time:
Limit Submissions by IP Address
Make it so that each person can fill out the form one time. This option will limit submissions by IP address, which means that each person can only submit the form once unless they use a different computer or device.
Set Entry Limit
You can choose to limit the total number of entries you receive. For example, if you are running a giveaway and want to limit entries to 10 people:
Restrict Access by User Role
Restrict your forms so that they are only available to members (members-only site). You can choose which user roles have access:
Type the name of the plugin (which as we have indicated is “Password Protected”) and press ENTER to start the search. If you have followed the steps to the letter, this plugin should appear as the first search result. Install it and activate it to be able to use it.
Once activated go to Settings >> Password protected to configure the plugin settings.
Once inside you will see that you have multiple options such as:
If you have activated the “Activated” option, have provided a password and have pressed the Save changes button, when visiting the public part of your website, you will see a text box appear to insert a password.
This plugin offers a simple option to protect your entire WordPress site using a single password. It offers a login page similar to the WordPress login. So your users can enter the password and access the content on your site.
Please note that this plugin only protects the content generated by WordPress. This means that your image files can be accessed through the direct URL.
The plugin allows you to offer selective access to RSS feeds. Likewise, you can let site administrators access content without having to enter the password. In addition, you can also specify the IP addresses that you want to allow access without a password.
The plugin is quite easy to use and can be a simple solution to protect your WordPress site and allow selective access to it.
HTTP Authentication is a technique that restricts access to your WordPress admin directory through an extra layer of protection. This means anyone who wants to access the login page has to pass through the http authentication. But how? In this article, we will tell you how to password protect your wp-admin with HTTP authentication.
For the security of your WordPress site with http authentication, firstly you must generate a .htpasswd file. And then you’ll need to provide the location of the .htpasswd file to the .htaccess file of your website. It will lock down your login page.
Detailed article – how to setup two-factor authentication in WordPress?
Commonly, you will find password protected wp-admin login that might be giving you a sigh of relief. But do you know there is a hack called Brute Force Attack which uses bots in order to try and guess your login credentials which is why you must protect your WordPress login page with an additional layer of security?
This file will contain the username and passwords for all the authorized users of your wp-admin directory. In order to create a new .htpasswd file, you have to give the following command:
htpasswd -c .htpasswd Harini
Open the command-line tool on your system and type the aforementioned command in the command line. In this command, c stands for creating and Harini stands for the username which you will choose. When you will hit enter, you’ll be prompted to create a password that should be unique to this username. Your password will be encrypted. This .htaccess file is essentially your HTTP Basic Authentication credentials.
htaccess password generator
If you are unable to create this file, you can also use a .htpasswd generator. Here are some tools that can be used to generate htaccess password file:
While using .htpasswd generator, you have to add the username and password of your choice. It also allows you to generate a random password. Once done, hit the “Generate .htpasswd file” button. Thus, your file will be created in a few minutes.
This is the most important file of your WordPress site. It gives you access to the HTTP Basic Authentication credentials and thus, help you restrict the access for specified persons. It is generally found in the public_html folder. In order to find it, follow these steps:
<Files wp-login.php>
AuthUserFile /path/to/.htpasswd
AuthName "Private access"
AuthType Basic
require valid-user
</Files>
AuthUserFile /path/to/.htpasswd Make sure you provide the correct path to your .htpasswd file in place of ‘/path/to/.htpasswd’
require valid-user: The ‘valid-user’ keyword tells Apache to provide the access to the wp-login.php file to the users mentioned in the .htpasswd file In case you want to grant access to selective persons then simply mention the usernames you’ll like to provide access to in place of ‘valid-user’.
For instance – there are five persons with the access to .htaccess file, out of which you only want user01 to have permissions, then you will type as:
Once you are done, save the file and upload it to the wp-admin directory. Next time, when anyone who tries to access http://[yourdomain.com]/wp-admin, or try to login to the WordPress dashboard, they will find the browser prompting for authentication even before the admin-login screen is loaded. That means they have to first authenticate with the Apache webserver before accessing the WordPress dashboard login page.
To set up basic authentication over HTTPS is very easy to implement but yet there may arise an HTTP 500 error in WordPress while trying to login. This might be due to the reason that some WordPress plugins use Ajax functionality. Such plugins might need access to the file ‘admin-ajax.php’ which is found in the wp-admin directory.
In order to allow access to such file for the WordPress plugins to function, add the below-mentioned code to the .htaccess file:
<Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files>
While you implement this HTTP Authentication, it is also important to keep updating WordPress to the latest update and keep updating all the WordPress plugins and themes. Keeping WordPress up-to-date is an important step in increasing security of your wordpress site
Further Reading:
The most important file in any WordPress installation is the wp-config.php file. This file stores all database connection settings, including the database name, username, and password to access your database. This file also stores additional databases, security, and other advanced settings. Thus, it is essential to restrict unauthorized access to the file.
WordPress security can be strengthened by changing some basic configuration settings. Here is the code which you need to add in your .htaccess file.
12 3 4 | <files wp-config.php>order allow,deny deny from all </files> |
If there is an unauthorized attempt by hackers to break into your admin panel, you can provide admin access to specific IP’s only. Create another .htaccess file by pasting the snippet below and upload it to “www.yourwebsite.com/wp-admin/” folder.
234 5 6 | # Limit logins and admin by IP<Limit GET POST PUT> order deny, allow deny from all allow from 12.34.56.78 </Limit> |
If someone else tries to log in to your website – other than the above IPs – the server will show an error connecting the database.
Your WordPress site has two parts – wp-config.php and the other is wp-content/uploads/folder. Wp-contents contains media files, files of your themes, plugins, and cached files. That’s why this directory is the main target for smart hackers. In order to protect this file, create a new .htaccess file and add the snippet below in this file:
234 5 | Order deny, allow Deny from all <Files ~ “.(xml|css|jpe?g|png|gif|js)$”> Allow from all </Files> |
Once you add this code to the .htaccess file, upload it to “www.yourwebsite.com/wp-contents/” folder. When you upload this file, it will only allow media files to be uploaded including XML, CSS, JPG, JPEG, PNG, Gif, and Javascript. All other file types will be denied.
wp-includes contains everything required to run your WordPress website. Basically, It is the enclave of WordPress Core files. While wp-content may define plugins and themes, the API itself and the vast majority of the WordPress core sits in that folder. This folder is strictly not to be accessed by any user or anonymous. Therefore, if you want to block access to those files, add this snippet into your .htaccess file.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
Any type of suspicious access to your WordPress directories may turn into a major security concern. In order to restrict this access, you can add the below-mentioned snippet into your .htaccess file, access to your directories will be disabled:
2 | # disable directory browsingOptions All -Indexes |
With that, we’ve reached the end of our guide to password protect WordPress in all kinds of ways. If you just need to restrict individual WordPress posts, you can use WordPress’ built-in password functionality. To password protect other parts of WordPress, however, you’ll need to use one of the third-party plugins I referenced above.
Need help? Make sure perform a wordpress security audit too and make sure site is free from any kind of malware.