WordPress is a commonly used CMS for websites because it is free, open-source, easily customizable, and user-friendly. However, due to its widespread use, it is essential to ensure the security of your WordPress website from unwanted intruders and BOTs. In this tutorial, we will demonstrate how to use HTTP Authentication to secure the WordPress admin dashboard on Nginx, Apache, LiteSpeed, and other web servers that support .htaccess.
As a website owner, it's important to ensure the security of your site and protect it from unauthorized access. One way to do this is by using two-factor authentication (2FA) for the WordPress admin login page (wp-admin).
There are other ways to protect your site wp admin as well : How to restrict access to wp-admin or wp-login and allow specific IP (linuxandruncloud.blogspot.com)
2FA adds an extra layer of security by requiring users to provide a second form of authentication in addition to their password. This can be a code sent to their phone, a fingerprint scan, or something else that only the user has access to. This helps prevent unauthorized access even if someone else has obtained the user's password.
Introduction
In this blog, we will discuss the benefits of using 2FA for wp-admin, how to set it up, and some best practices for securing your WordPress site. We hope you find this information helpful and if you have any questions, feel free to reach out to us in the comments section.
Step 1 : Creating '.htpasswd' file
To begin, SSH into the server and create the '.htpasswd' file, which will store your two-factor authentication details such as username and password.
Once inside the server, navigate to the location where you want this file to be saved.
For this example, I'll just put it in the web application root location (/home/runcloud/webapps/test/.htpasswd), but you can put it anywhere you want.
To create the file, please run below command.
bashhtpasswd -c /home/runcloud/webapps/test/.htpasswd testuser
Please keep in mind that I want to save this newly created file in /home/runcloud/webapps/test/, and the default name of this file will be .htpasswd, with the username 'testuser'.
Which will prompt you for your password, which you should enter to save.
Now that we have the file for checking username and password, we must tell Nginx or.htaccess to use it for authentication.
Step 2 : Creating configuration
Depending on your server type, you need to add configuration. The steps for Nginx and Apache(OLS too) are different. Please follow the corresponding instructions.
- For Nginx servers
As you may be aware, RunCloud provides an interface for adding custom Nginx configurations, so all you need to do is add the following configuration under the 'location.main-before' type.
It is accessible via RunCloud Account >> Your server >> Web application >> Nginx Config.
Simply replace the '.htpasswd' location and web application name 'test' with your corresponding details in the following code.
bash
location ~ ^/(wp-admin|wp-login\.php) {
auth_basic "Restricted";
auth_basic_user_file /home/runcloud/webapps/test/.htpasswd;
location ~ \.php {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
fastcgi_pass unix:/var/run/app-renner.sock;
}
} - For apache or litespeed servers
Create a new file named.htaccess in the wp-admin folder using your preferred text editor(You can do it via RunCloud file manager itself) in my case, the path is /home/runcloud/webapps/test/wp-admin/.
You can paste following to your .htaccess file.
bash
AuthType basic
AuthName "Protected directory"
AuthUserFile /home/runcloud/webapps/test/.htpasswd
require valid-user Please keep in mind that you can replace "Protected directory" with your own heading and that you must update the correct path of your .htpasswd file.
Step 3: Verification
First, we need to call your home page and verify that it is operational, just to ensure that you have a normal life for the remainder of the week 😁
Check your wp-login page to see if it is requesting a username and password as shown in above image. Also, Check the other admin pages to ensure the rest of the pages are operational as well.
Conclusion
In conclusion, implementing two-factor authentication for the wp-admin area of your WordPress website is a crucial step in protecting your site and your users' data. It adds an extra layer of security by requiring a second authentication method. This helps prevent unauthorized access and can save you from potential hacks and data breaches. While it may seem like an extra hassle for you and your users, the added protection is worth the extra step. So if you haven't already, be sure to enable two-factor authentication for your wp-admin area to keep your website and your users' data safe.
Comments
Post a Comment