WordPress: Prevent access to wp-login.php when the wp-admin directory has already been protected

The problem: You’ve used .htaccess / .htpasswd to restrict access to the wp-admin directory of your WordPress installation. However, when someone accesses wp-login.php, they can simply click “cancel” or press the escape key in the authentication dialog to reach the WordPress login page:

Click on “Cancel” here…
…and you still reach the WordPress login page (doesn’t look great, but works).

The solution

You also have to explicitly protect the wp-login.php file. Open the .htaccess file in the root directory (not in the wp-admin directory) and add something like this1:

AuthType Basic
AuthUserFile "path/to/.htpasswd"
require valid-user

You’ll have to replace path/to/.htpasswd with the path to your .htpasswd file (which should exist if you’ve already restricted access to your wp-admin directory).

Now, if someone cancels the authentication dialog, they’ll be directed to the default “Error 401” page:

Detailed information on authentication on Apache servers can be found in the official documentation. While there are lots of terrible articles out there which only regurgitate incomplete information for SEO purposes, I did find a comprehensive tutorial on how to protect wp-login.php and the wp-admin directory here.

Note: You may still want to install a WordPress security plugin like Cerber. This is how I discovered that I had forgotten to protect wp-login.php on one of my websites.

1 Wondering why I didn’t include the AuthName directive? The text is not shown in Chromium-based browsers.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.