The wp-admin panel is already password protected in that you are required to login. Sometimes that’s not good enough. This tutorial explains how to add an additional layer of authentication to the login process, essentially blocking wp-login.php requests from annoying bots or other malicious users.
Step 1:
Create a `/path/to/.htpasswd` file. (More info.)
Step 2:
Create a `/path/to/your/site/wp-admin/.htacess` file with the following content:
AuthUserFile /path/to/.htpasswd AuthType basic AuthName "Restricted Resource" require valid-user # Whitelists <Files "admin-ajax.php" > Order allow,deny Allow from all Satisfy any </Files> <Files "*.css" > Order allow,deny Allow from all Satisfy any </Files> <Files ~ "\.(jpg|jpeg|png|gif)$"> Order deny,allow Allow from all Satisfy any </Files>
Change `/path/to/` your files accordingly.
Important! Under Whitelists I have added entries for admin-ajax.php, *.css, and a regular expression for images. This unblocks WordPress’ AJAX functionality used by certain plugins, as well as CSS and image files certain themes may be importing. Without these you risk breaking your site.
Step 3:
Append the following to your existing WordPress .htaccess file one parent folder up (Ie. /path/to/your/site/.htaccess):
<Files wp-login.php> AuthUserFile /path/to/.htpasswd AuthType basic AuthName "Restricted Resource" require valid-user </Files>
Change `/path/to/` your files accordingly.