Over the last few years, our websites have been subject to regular attacks. One of the most common attacks was sending bots to repeatedly attempt to login to our admin area. Some of the attacks were severe enough to slow or crash our website.
We've stopped those attacks from happening by creating an additional layer of security for our admin areas.
We keep hackers out of your admin area is to create an additional username and password via a file called htpasswd. That extra password screen prevents the bots from reaching our admin login and has eliminated problems with repeated login attempts.
This tutorial will show you how to do that in three easy steps. Let's get started.
1) Navigate to Your Admin Area
Use your host's file manager or FTP to access the admin folder of your website. For example:
- Joomla's folder is /administrator
- WordPress' folder is /wp-admin
2) Create .htpasswd
In your admin folder, create a .htpasswd file with the following contents:
Replace the above username and password with any that you'd like.
3) Create .htaccess
Create a .htaccess file and add the following code to it:
AuthUserFile "/home/username/public_html/administrator/.htpasswd" AuthName "Restricted Area" AuthType Basic require valid-user RewriteEngine On RewriteRule \.htpasswd$ - [F,L]
In the above code, switch /home/username/public_html/administrator to your host's full path to your admin folder.
4) Additional Step for Drupal
If you're using Drupal, you'll need to do an additional step:
- Install the Global Redirect module to force all URLs to the clean SEF URLs, so that your password protection can't be by-passed.
That's it. Now check your admin area and you should be prompted for the additional username and password.