How to protect your Wordpress Login from Bots

You are reading this article because you are getting a lot of attacks on your WordPress login page and seeing some server load.

Bots are a nuisance indeed and very hard to mitigate attacks if your web host does not provide you with any protection. The result of login attacks on your WordPress login page can lead to server load as the bots consume resources and can lead to your account running out of bandwidth or worse the host closing down your account.

So, one surefire way to protect your login page from bots is to, well remove their access entirely.

NOTE: this method will apply a single username and password to your login page, so if you are running a Wordpress site where members have to log in, then they will also be locked out.

Let's Get Started

Step 1. Create the Password File

Create an empty file named .wpadmin and place it in your home directory, where visitors can’t access it. Usually, this is ABOVE the public_html  directory in your account (Please note there is a period preceding the wpadmin in that file name.)

EXAMPLE: /home/username/.wpadmin
(where “username” is the cPanel username for the account.)

Step 2: Create the Encrypted Username and Password

You can find various online tools for this, this one is as good as any: https://www.htaccesstools.com/htpasswd-%20generator/

Add your username and preferred password and the tool will spit out some code like this. Just add that string exactly as shown to the .wpadmin file you created in step 1.

bob:{SHA}SBgazSKz7a68ikR4aKfffOYpkgo=

Step 3. Update/Create the root .htaccess file

The last step is to place the following code in the /home/username/.htaccess file. Some servers create the .htaccess file automatically so if it exists already just add the code below to it. If not then just create a new one.

a. open /home/username/.htaccess (if there is not one already just create a new one)

b. paste into the .htaccess file the following code (replace "username" in the AuthUserFile path to the username of your account on the server.

ErrorDocument 401 "Unauthorized Access"
ErrorDocument 403 "Forbidden"
<FilesMatch "wp-login.php">
AuthName "Authorized Only"
AuthType Basic
AuthUserFile /home/username/.wpadmin
require valid-user
</FilesMatch>

Now when you visit your WordPress login page, you will be prompted for the username and password you initially set in step 2, and bots will not be able to access the PHP and MySQL processes that load your account.

Keep Safe!



  • block bots, wordpress log in protection, htaccess tips, wordpress
  • 2 Users Found This Useful
Was this answer helpful?

Related Articles

customised wordpress wp-config file

Out of the box, the WordPress wp-config.php file is basic and ugly.Below is our standard...

Fix WordPress 404 Errors on Password Protected Directories

You are reading this article becasue you have applied password protection on the wp-admin...

Enable Fenced Off Debugging to Your IP in Wordpress

Use the code below to activate the bugging in WordPress but locked down to your IP.Put this in...

SVG Logo is not appearing in Wordpress

You are reading this article because you have managed to upload an SVG file to your Wordpress...

Import piped separated formatted data from wordpress to google sheets

You are reading this article because you have a list of posts in wordpress and you want to grab...