Though wp-admin is already secured through login/password authentication, this post will examine to add an additional layer of security.
For the purpose of second layer security htpasswds file will be used.
Create htpasswds file
Use htpasswd command in Linux or OSX to create a htpasswd file. The command to execute is as below
$ htpasswd -c .htpasswd mydemouser New password: Re-type new password: Adding password for user mydemouser
A file .htpasswd is created in the local directory
$ cat .htpasswd mydemouser:$apr1$60sgQzdr$C.APpTFtRyjJfpcwQsJB/.
Changes on server hosting WordPress site
1. Copy the .htpasswd file to a directory that’s outside the wp-admin directory
Suggested Directory: /home10/mydemouser/.htpasswds/public_html/wp-admin/passwd/
Change the directory as per your site deployment.
2. Create a .htaccess file in ~/public_html/wp-admin directory and include following
3. Access wp-admin page and confirm an authentication popup window appear. If the page fails with too many redirects error then proceed with the next step.
Stop too many redirects error
4. Edit the .htaccess under ~/public_html and add the following line before WordPress rules start
ErrorDocument 401 default
That’s it – double layer authentication should now be active.
How to fix Admin Ajax issue
If the wp-admin is password protected then it will break the ajax functionality in the front-end ( if it is been used). To fix this issue follow the steps below
1. Edit the .htaccess file in ~/public_html/wp_admin folder and add the following code on the file.
Allow from all