You are reading this article because you are getting a lot of attacks on your WordPress login page and seeing some server load.
Bots are a nuisance indeed and very hard to mitigate attacks if your web host does not provide you with any protection. The result of login attacks on your WordPress login page can lead to server load as the bots consume resources and can lead to your account running out of bandwidth or worse the host closing down your account.
So, one surefire way to protect your login page from bots is to, well remove their access entirely.
NOTE: this method will apply a single username and password to your login page, so if you are running a Wordpress site where members have to log in, then they will also be locked out.
Let's Get Started
Step 1. Create the Password File
Create an empty file named .wpadmin and place it in your home directory, where visitors can’t access it. Usually, this is ABOVE the public_html directory in your account (Please note there is a period preceding the wpadmin in that file name.)
EXAMPLE: /home/username/.wpadmin
(where “username” is the cPanel username for the account.)
Step 2: Create the Encrypted Username and Password
You can find various online tools for this, this one is as good as any: https://www.htaccesstools.com/htpasswd-%20generator/
Add your username and preferred password and the tool will spit out some code like this. Just add that string exactly as shown to the .wpadmin file you created in step 1.
bob:{SHA}SBgazSKz7a68ikR4aKfffOYpkgo=
Step 3. Update/Create the root .htaccess file
The last step is to place the following code in the /home/username/.htaccess file. Some servers create the .htaccess file automatically so if it exists already just add the code below to it. If not then just create a new one.
a. open /home/username/.htaccess (if there is not one already just create a new one)
b. paste into the .htaccess file the following code (replace "username" in the AuthUserFile path to the username of your account on the server.
ErrorDocument 401 "Unauthorized Access"
ErrorDocument 403 "Forbidden"
<FilesMatch "wp-login.php">
AuthName "Authorized Only"
AuthType Basic
AuthUserFile /home/username/.wpadmin
require valid-user
</FilesMatch>
Now when you visit your WordPress login page, you will be prompted for the username and password you initially set in step 2, and bots will not be able to access the PHP and MySQL processes that load your account.
Keep Safe!