The wp-admin panel is already password protected in that you are required to login. Sometimes that’s not good enough. This tutorial explains how to add an additional layer of authentication to the login process, essentially blocking wp-login.php requests from annoying bots or other malicious users.
Step 1:
Create a `/path/to/.htpasswd` file.
Step 2:
Create a `/path/to/your/site/wp-admin/.htacess` file with the following content:
AuthUserFile /path/to/.htpasswd
AuthType basic
AuthName "Restricted Resource"
require valid-user
# Whitelists
<Files "admin-ajax.php" >
Order allow,deny
Allow from all
Satisfy any
</Files>
<Files "*.css" >
Order allow,deny
Allow from all
Satisfy any
</Files>
<Files ~ "\.(jpg|jpeg|png|gif)$">
Order deny,allow
Allow from all
Satisfy any
</Files>
Change `/path/to/` your files accordingly.
Important! Under Whitelists I have added entries for admin-ajax.php, *.css, and a regular expression for images. This unblocks WordPress’ AJAX functionality used by certain plugins, as well as CSS and image files certain themes may be importing. Without these you risk breaking your site.
Step 3:
Append the following to your existing WordPress .htaccess file one parent folder up (Ie. /path/to/your/site/.htaccess):
<Files wp-login.php>
AuthUserFile /path/to/.htpasswd
AuthType basic
AuthName "Restricted Resource"
require valid-user
</Files>
Change `/path/to/` your files accordingly.