This post will explain you how to protect your WordPress site using Basic Auth.
I’m making sure that this WordPress site is secure all the time. I’m choosing the trusted and well-maintained plug-ins from WordPress.org directories which all have the compatibilities, and update regularly.
However, I’ve been noticing many brute force attach since last year. I’m using the plug-in called, Login Security Solutions, to protect the Brute Force. So I’ve been notified if someone try to login to my site. But my next concern was the massive number of notification emails.
I could use a plug-in to add Basic Auth. But it would add an extra PHP process. Although it’s a bit complicated, I decided to upload a .htaccess to add the Basic Auth manually. The measure was performed.
After a while, I’ve noticed that the number of login failure notification hasn’t changed. Worst of all, I’ve received a couple hundreds notifications within a half-hour last weekend. I wondered if my Basic Auth password was broken. BUT it was the attack to xmlrpc.php
xmlrpc.php also carried out a BASIC attestation setup by .htaccess instantly. (Although there was no meaning to add BASIC auth of the xmlrpc.php itself. But I added anyway just in case.)
.htaccess on WordPress root
# wp-login.php basic auth AuthUserFile [Your Server Path to password file]/.htpasswd AuthGroupFile /dev/null AuthName "WordPress" AuthType Basic <Files ~ "(wp-login.php|xmlrpc.php)$"> require valid-user </Files>
.htaccess under/wp-admin/
AuthUserFile [Your Server Path to the password file]/.htpasswd AuthGroupFile /dev/null AuthName "WordPress" AuthType Basic require valid-user
By the way, concrete5 CMS has its awesome security measurement if you really concern about site security.