If your local government website is powered by WordPress then many people already know how to get to your login page. Knowing this information can be the first step to having your city’s website hacked. Following this tutorial to secure your website’s login page can make it harder for hackers to break in.
Our Login Tests
We looked at a handful of surrounding towns in Illinois that are using WordPress to run their municipality and from those selected we were able to get to every login page. If we knew more about unethical hacking then we could be inclined to try and hack our way into each town’s website. Since we don’t and we’re ethical we didn’t try — not to mention it is somewhat illegal.
How to Secure Your Login Page
By adding a few lines of code in the .htacess file and one file to your server we can add an additional login before the standard WordPress login page and prevent brute force attacks.
- Ensure that you can see hidden files on your server
- Create a file called .wpadminlogin and place it at /home/<user>/.wpadminlogin
- Visit http://www.htaccesstools.com/htpasswd-generator/
- Enter a username and password for your .htaccess login
- Click the create .htpasswd file button and copy the code that was generated
- Open .wpadminlogin, paste the code and save the file
- Create or open your .htacess file and enter the following code
ErrorDocument 401 "Login Unavailable"
ErrorDocument 403 "Forbidden"
<FilesMatch "wp-login.php">
AuthName "Authorized Only"
AuthType Basic
AuthUserFile /home/user_name/public_html/.wpadminlogin
require valid-user
</FilesMatch> - Save and test by trying to visit the login page.
You should now be prompted to enter the username and password you created in step 4. If you are not seeing the additional login try clearing your cache or try another browser.