Enable two-factor Authentication on Wordpress

Following numerous hack attacks / brute force hack to WordPress, we recommend that you install the extension Limit login attemps.

However in some cases the attacks being launched very large botnet, this module is not sufficiently effective and can not block all IPs.

This tutorial therefore aims to double authentication on the file wp-admin and wp-login.php login page; we will do this with .htaccess files.

 

Wordpress files to modify

First of all you must create a password file that will contain your username and password, we recommend you to use a completely different user than your WordPress.

In my case I will put the file outside the public_html this place:

/home/comptecp/.htpasswds

 

For this I recommend you this site: http://www.htaccesstools.com/htpasswd-generator/, it should look like this.

Once the file containing the login and password, we will have to create an .htaccess file in the / wp-admin (/home/comptecp/public_html/wp-admin/.htacces)

It will contain these different line :

ErrorDocument 401 default
AuthType Basic
AuthName "Double Authentification"
AuthUserFile /home/comptecp/.htpasswds
require valid-user

Do not forget to change your path for AuthUserFile / passwd, once this is done you will already have a double authentication on the wp-admin.

Now look at the protection of wp-login.php login page, this page is the target for the moment; so we will also protect it by this double protection,

normally in the /home/comptecp/public_html/.htaccess you should have something like this:

Options -Indexes # BEGIN WordPress RewriteEngine On
RewriteBase /
RewriteRule ^ index \ .php $ - [L]
RewriteCond% {REQUEST_FILENAME}! -f
RewriteCond% {REQUEST_FILENAME}! -d
RewriteRule. /index.php [L]

# END WordPress

We will add this piece of code before the "# BEGIN WordPress", this should give you something like this: Options - Indexes

ErrorDocument 401 default
<FilesMatch "^ ((wp-login) \ php |. (Xmlrpc) \ php.) $">
AuthName "Double Authentication"
AuthType Basic
AuthUserFile /home/comptecp/.htpasswds/public_html/wp-admin/passwd
Require valid-user

# BEGIN WordPress RewriteEngine On
RewriteBase /
RewriteRule ^ index \ .php $ - [L]
RewriteCond% {REQUEST_FILENAME}! -f
RewriteCond% {REQUEST_FILENAME}! -d
RewriteRule. /index.php [L]

# END WordPress
Was this answer helpful?