Htaccess-problem: protect wp-admin folder and wp-login.php

  • Hi

    I have a problem with securing the folder wp-admin AND the file wp-login.php. Both should be secured with the same user and password. This also works. Only unfortunately, for example, when logging out of wordpress again name and password (Htaccess) is required. I also know why, but I would like to solve the problem.

    I have in the folder wp-admin the two files .htaccess and .htpasswd, as it is normal. In it is specified among other things name and password of the user. If you call the website with /wp-admin, you will be asked for name and password. After correct input you get into the CMS. If you log out, you will be asked for name and password again – if you don’t do this, you stay logged in, which is useless. This is probably because in the .htaccess file I have also secured the file wp-login.php like this:

    <Files wp-login.php>
    AuthName “admin-area”
    AuthType Basic
    AuthUserFile /(…)/htdocs/.htpasswd
    require valid-user
    </Files)

    With (…) I have only abbreviated the path here in the forum.

    This protection works, but I suspect that by “logging out” the file wp-login.php is called exactly and therefore exactly this protection starts.

    How do I manage that both the folder wp-admin and the file wp-login.php is equally secured for one and the same user, but this double login or logout is not necessary?

Viewing 14 replies - 1 through 14 (of 14 total)
  • Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    Rather than go down this model, why not just allow WP’s userid/password system to handle logins “normally” and use a plugin to add two factor authentication? Your current model just makes things more inconvenient for your users who need to login.

    Thread Starter dajanas

    (@dajanas)

    @sterndata Which users? I am the only one who has access to my website.

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    OK. What is your goal with this? 2FA adds a second layer of protection without this 2nd set of ids/passwords

    Thread Starter dajanas

    (@dajanas)

    @sterndata This is a normal protection of the login/admin area via Htaccess for protection via Htaccess. Why do you ask? This is a normal procedure. So that no unauthorized person can see the login area at all.

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    Normal for you, maybe. ?? I’ve never done that, or seen the need for it. Anyhow, what happens with htpasswd stuff in .htaccess is outside of WP’s control.

    Thread Starter dajanas

    (@dajanas)

    If no one has access to the wp-login.php page, no one can try to log in via this page (brute force etc.). Is actually known.

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    Obscurity is not a path to security.

    Thread Starter dajanas

    (@dajanas)

    @sterndata That sentence makes no sense. Securing the login area protects against brute force attacks because the attacker cannot even enter the login area. If someone with lock picks wants to enter your house through the locked front door, but can’t find the door anywhere, the lock picks are of no use to him. Why is it necessary to discuss something so obvious?

    Thread Starter dajanas

    (@dajanas)

    @sterndata Which free plugin for limiting login attempts and 2-factor authentication can you recommend?

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    I use WordFence.

    Thread Starter dajanas

    (@dajanas)

    Okay, Wordfence is fee-based. Not interested.

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    No, it’s free. There’s paid features, but I’ve never used/needed them.

    https://www.ads-software.com/plugins/wordfence

    Hello Dajanas.

    Don’t stress yourself editing .htaccess file, just use these two plugins to get rid of those trying to access your site even if they knew your password.

    1. WPS Hide Login: to hide your login page by assigning new permalink to your login page like site.com/dajlogin
    2. Limit Login Attempts: to know when someone tries to access your site or us auto-commenting software to spam your site.
    3. Cloudflare: For additional extra security and performance.

    [Signature link removed by moderator per forum guidelines.]

    • This reply was modified 1 year, 10 months ago by James Huff. Reason: signature link removed
    Thread Starter dajanas

    (@dajanas)

    @hausaedown Hello, do you mean “Limit Login Attempts Reloaded”? I have been trying this out for two days. Looks nice, but I’m wondering that it says here that there have already been 350 blocks in total – even though my admin area is protected by Htaccess, so no one can get to the login form at all. And 1 try to login as “admin” om 01. January 1970, although I have – as I said – protected my login area via htaccess. When I read something like this, my trust in such a plugin dwindles.

    @sterndata Do you mean Wordfence, which even in the free version requires registration on their website?! No way.

Viewing 14 replies - 1 through 14 (of 14 total)
  • The topic ‘Htaccess-problem: protect wp-admin folder and wp-login.php’ is closed to new replies.