What You Need to Know to Protect WordPress using Basic Auth in Addition to wp-admin wp-login.php


This post will explain you how to protect your WordPress site using Basic Auth.

 

I’m making sure that this WordPress site is secure all the time. I’m choosing the trusted and well-maintained plug-ins from WordPress.org directories which all have the compatibilities, and update regularly.

However, I’ve been noticing many brute force attach since last year. I’m using the plug-in called, Login Security Solutions, to protect the Brute Force. So I’ve been notified if someone try to login to my site. But my next concern was the massive number of notification emails.

I could use a plug-in to add Basic Auth. But it would add an extra PHP process. Although it’s a bit complicated, I decided to upload a .htaccess to add the Basic Auth manually. The measure was performed.

After a while, I’ve noticed that the number of login failure notification hasn’t changed. Worst of all, I’ve received a couple hundreds notifications within a half-hour last weekend. I wondered if my Basic Auth password was broken. BUT it was the attack to xmlrpc.php

xmlrpc.php also carried out a BASIC attestation setup by .htaccess instantly. (Although there was no meaning to add BASIC auth of the xmlrpc.php itself. But I added anyway just in case.)

.htaccess on WordPress root

# wp-login.php basic auth
AuthUserFile [Your Server Path to password file]/.htpasswd
AuthGroupFile /dev/null
AuthName "WordPress"
AuthType Basic
<Files ~ "(wp-login.php|xmlrpc.php)$">
    require valid-user
</Files>

.htaccess under/wp-admin/

AuthUserFile [Your Server Path to the password file]/.htpasswd
AuthGroupFile /dev/null
AuthName "WordPress"
AuthType Basic
require valid-user

By the way, concrete5 CMS has its awesome security measurement if you really concern about site security.