Password-Protected WordPress Login

Please Note:

The text on this page was translated by translation software. A revised version from our editors will be available soon.

For Web Hosting Linux packages, Managed Dedicated Server and 1&1 IONOS root servers.

You can improve the security of your website by setting up an additional password protection for the administration area (dashboard) of your WordPress blog. Then two different logins are required to call the dashboard. This makes it more difficult for third parties to gain unauthorized access to your dashboard, for example by means of a brute force attack.

To enable password protection, create an.htaccess file and an.htpasswd file and upload them to the /wp-admin directory of your Wordpress installation. That's the way:

Create htaccess file

An.htaccess file is a configuration file that you can use to make directory-specific settings on a compatible web server (for example, the Apache web server used in 1&1 IONOS hosting).

Step 1

Create a new file locally on your PC using a text editor and save it under the name .htaccess

Please note: The file name must be written exactly as above (the dot at the beginning is important). Otherwise the password protection does not work!

Step 2

Copy the following lines of code into your.htaccess file:

AuthType Basic
AuthName "Passwortgeschützter Bereich"
AuthUserFile /homepages/xx/xxxxxxxxx/htdocs/[Ordner]/wp-admin/.htpasswd
require user [Username]
Step 3

Customize the copied code to your WordPress installation:

  • The character string /homepages/xx/xxxxxxxxxxx/htdocs/ is an example of the document root, i.e. the absolute path to your Internet presence (i.e. the top directory level). You can download this in your 1&1 IONOS to find out.
  • Replace[Folder] with the directory path where your WordPress installation is located. For example, if you have installed your WordPress blog in a "wordpress" directory of the same name, replace"[Folder]" with wordpress. Pay attention to upper and lower case.
  • Replace the text[Username] with any username, for example webmaster, mustermann. You can also specify multiple names separated by spaces to allow multiple people access.
  • You can replace the password-protected area text with any text, for example, Only for insiders or similar.

The finished.htaccess file could look like this, for example:

AuthType Basic
AuthName "Passwortgeschützter Bereich"
AuthUserFile /homepages/45/d12345678/htdocs/wordpress/wp-admin/.htpasswd
require user webmaster mustermann

Create htpasswd file

Step 1

Create a new file named.htpasswd on your PC (don't forget the dot).

Step 2

Enter the user name(s) and password in the following form:

[Username]:[EncryptedPassword]

 

Hint: If you set up several users, each user name must begin in a new line.

 

In the following example, the.passwd contains the coded passwords for the webmaster and mustermann users:

webmaster:$1$FLO9omPh$Toese7ZrlHgsbdYy/JvzA1
mustermann:$1$WSEgdzA/$qL9.vM4HivWYsp7E9DHbm/

Upload.htaccess and.htpasswd to /wp-admin

To enable password protection, upload the files you just created to the /wp-admin directory under your WordPress directory on the web space. The password protection is then immediately active.

Please note: If you already use your own.htaccess for the directory /wp-admin for other reasons, then these would be overwritten in the further course of this manual. However, you can simply download your previous.htaccess, add the new lines there, adjust them and then upload the file again.

Hint: If you want to disable password protection, simply delete both files from your web space.

problem resolution

If the password protection does not work, please check the following points:

  • Is the file path to the".htpasswd" file specified in the".htaccess" file correct?
  • Are the username(s) in the".htaccess" and".htpasswd files really the same (case sensitive)?
  • Did you also enter the password in encrypted form (crypt) in the file.htpasswd?
  • Did you upload the files to the correct directory (/wp-admin)?
  • enter the password in the encrypted form in the.htpassd file?