If you have a security plugin installed on your ClassicPress website, it’s likely that there are settings that will prevent bots and bad actors from attempting too many failed login attempts. Generally speaking, this is a good thing, but, can you do just a little bit better? Why allow them to use your server resources for even 10 login failures before blocking them?
You’re about to learn a cool trick that will get you out in front of this like a boss! However, before you get started, let me say that you should run through this tutorial on a local installation before you try it on your live website. We’ll be working with the
.htaccess file and don’t want actual visitors to see any errors. Let’s get it!
About the .htaccess File
As you may know, on an Apache server, you can use what is called an
.htaccess file to customize how your website works “under the hood”, or “behind the scenes”, if you prefer. A very common example would be when you’re using short URLs on your site; it is your `.htaccess` file making this happen. This file can also be used to improve your site speed and performance, redirect users to HTTPS, prevent people from hot-linking images and spending your bandwidth – and many, many other things.
As previously mentioned, the `.htaccess` file is used on Apache servers (and a few others,) so, your site will need to be running on Apache or one of the other supported servers. The good news is that it’s highly likely you’re on Apache. If you’re not sure, you can install the Site Info plugin and then go to `Tools > Site Info` to find out.
Benefits of Using .htaccess to Improve Security
Using `.htaccess` to improve security is a quick and solid fix. Granted, you may have to take your time getting through this article and getting the hang of it, but, it’s well worth the effort. This technique is completely free and it provides an excellent extra layer of security to your site.
Best of all, this technique is highly performant. In fact, because the `.htaccess` file is processed at the server level, it can be used to block access to your login page long before your security plugin even knows someone is at the door. We’re going straight to the root of it… we’re nipping it right in the bud… we’re going for nothing less than the kill, baby! Muahahahaaaa! Wait. What? Oh, right…
The Absolute Path to your ClassicPress Site
You’ll need to know the absolute path to your ClassicPress installation, which will be something like `/home/users/username/public_html/`, or similar. The Site Info plugin will show you the value, if you’re unsure. Once you know your absolute path, it’s time to get the files ready.
The .htaccess and .htpasswd Files
It’s likely that you will already have the `.htacess` file in the root of your ClassicPress installation. If so, download it to your local computer. If not, create a new one on your local computer now. Then, also create the `.htpasswd` file on your local computer.
Tip: If you have trouble saving these files on a Windows computer (because Windows thinks the filename is missing,) you can create the files as, say, `my.htaccess` and
my.htpasswd. Then, you can rename them after they’ve been uploaded to your server.
The Password Encoder
For encoding, I like to use the application at AskApache.com; it’s quick and easy. You can use any encoder you prefer, but, the steps outlined below will show screenshots of that particular application.
Step 1. Fill out the form.
Navigate to the online encoder application. On the site, you’ll find a form like the following. I’ve highlighted in yellow the parts that you’ll need to fill out. Note that the username should be left blank and the password should not be your ClassicPress password. Security and privacy first! I repeat: leave the username blank, and do not use your ClassicPress password here. You want these credentials to be unique. In fact, think of this password as a burner, meaning, use it for this one purpose only and never use it anywhere else.
Now, be sure to set the Encryption Algorithm to `md5` and set the Authentication Scheme to
Basic, and then click the button to finish the process.
Step 2. Copy the values into your local files.
On the next screen, you’ll find the value that will be placed in your `.htpasswd` files. There will be other values shown on the page, but, you can ignore them.
Step 3. Edit and upload the .htpasswd file.
.htpasswd file, you’ll copy the long string right into the first line of the file. Take note that the string begins with a
: character. This colon is the separator between the username and the password. We opted to not include the username when generating the credentials, so, you’ll have to add a login username before the colon. It might look something like this when you’re done:
Once you have your username prepended to the string, you can save the file. It’s a good idea to upload this file before the `.htaccess` file, so, let’s do that now.
This file should be uploaded to a non-publicly-accessible directory on your server. Usually, this means uploading the file to one-level-above your public directory. For example, if your public directory is
/home/users/myuser/public_html/, then your `.htpasswd` file would be uploaded to `/homes/users/myuser/`. And, finally, if your file is named
my.htpasswd, be sure to rename it to `.htpasswd` after uploading.
Step 4. Edit and upload the .htaccess file.
For the `.htaccess` file, see the code-block below – I’ve already made most of the edits for you! You’ll just have to change one single line, highlighted in the code. After you get all these lines copied into the `.htaccess` file (don’t forget to edit the one line,) you can upload the file to the root of your ClassicPress site (where your wp-config.php file lives.) And, remember: if your file is named
my.htaccess, be sure to rename it to `.htaccess` after uploading.
Note: if you already had an existing `.htaccess` file, it will likely have some other lines in it. No worries. You can safely paste in these new lines at the very top of the file, above the rest.
# If your page isn't redirecting properly, uncomment the following 2 lines. #ErrorDocument 401 "Denied" #ErrorDocument 403 "Denied" ### BEGIN BASIC BLOCK <Files wp-login.php> AuthType Basic AuthName "Authentication Required" AuthUserFile "/home/users/myuser/.htpasswd" require valid-user </Files> ### END BASIC BLOCK
Step 5. Check your work.
Ok, everything is uploaded…this is the moment of truth! Take a deep breath and refresh your home page. Is it showing as expected? If so, great! Now, head over to your login page and you will be prompted for your newly added username and password. Note that it is the server prompting you for the credentials; it’s not PHP, or your security plugin, or ClassicPress – at this point, none of those things have even run yet!
Now, when a bot tries your login page, they’ll be stuck at the password prompt. Sure, they can try to brute-force the dialog, but, it’s not going to consume any substantial resources in the process. And, even if a bot did somehow manage to guess your username and password, it would still only get as far as the actual ClassicPress login screen which, I might add, uses a completely different username/password combination. If a bot got that far, your security plugin would come into play and block it after a handful of attempts.
Step 6. Verify your privacy.
Usually, your server will be pre-configured to prevent web access to files that begin with a dot. However, take a moment to verify this by following these final sub-steps:
- Disable your permalinks at `Dashboard > Settings > Permalinks`
- Do you see Error 403 Access Forbidden?
- YES: Great, you can now re-enable your permalinks. You’re done!
- NO: Add the following 4 lines to your `.htaccess` file, just underneath the other lines you added, and then refresh your browser to see the expected Error 403 when trying to directly access the file.
<Files .htaccess> order allow,deny deny from all </Files>
Troubleshooting – Server 500 Errors
.htaccess file is picky. If there is a problem with the file, your site will show the dreaded Server 500 Error, and seem to be gone forever. Don’t panic. If this happens, it will likely be one of three things:
- the path you added to the `.htaccess` file isn’t pointing to the `.htpasswd` file, or
.htaccessfile has a typo in it, or
- you named it `.htpassword` instead of `.htpasswd`
If you get the Server 500 Error, you can remove the new lines from your `.htacess` file and re-upload it. This will correct the error and your site will display normally. From there, you should retrace back through these steps to discover where you went astray and give it another go. If there’s something that’s not clear, I’m happy to answer your questions or update the tutorial to make it easier to understand.
Final Points for Consideration
- Try this on a local ClassicPress installation before trying it on your live website.
- The .htpasswd file should always be stored in a non-publicly-accessible directory.
- This is not a replacement for a security plugin; it is an additional layer of security.
- Be sure to use a unique and strong password; use your browser to auto-fill it.
A security plugin can be a great help in preventing brute-force attacks against your ClassicPress login page, but, with the technique shown here, your security plugin will probably never even use those functions again. It won’t get a chance to! Blocking access to your login page at the server level means bots won’t needlessly be spending up your resources until they’re blocked. Again. And again. And again. With this technique, you will probably never have to think about a brute-force attack on your login ever again. And, your server resources will be available for those who deserve them: your legitimate site visitors.
What do you think?
Did you make it all the way down here!? If so, did you find this tutorial easy to get through, or did you have trouble? Or, are you now basking in a boatload of glory after slaying this foul beast? I’d love to hear your thoughts – let me know in the comments!