WP Function that protects your wp-login.php with PHP Auth [UPDATED]

 
"
A simple WP Function that password protects the wp-login.php file on Wordpress setups.
 

Protect Your WordPress Login PageThe Function below adds a simple layer of security to your WordPress Websites. When anyone visits the wp-login.php page an authentication window will pop prompting the visitor to enter a Username and Password before they can access the wp-login.php file.

This is a simple protection solution for any WordPress site with Registrations turned off and for sites with very few or only one person that manages them.

Place the function below into your functions.php file for each WordPress Theme/site that you want to protect. Swap out the YOUR-USERNAME and YOUR-PASSWORD with your user/pass info, and it’s ready to go!

 if ( $_SERVER['PHP_SELF'] == "/wp-login.php" ) { add_action( 'init', 'login_init' ); /* Do Action */ }
function login_init() {
 $user = "YOUR-USERNAME";
 $pass = "YOUR-PASSWORD";
  get_option('get_header');
if( $_SERVER['PHP_AUTH_USER'] != $user && $_SERVER['PHP_AUTH_PW'] != $pass ) {
    header("WWW-Authenticate: Basic realm=""");
    header("HTTP/1.0 401 Unauthorized");
exit;
  }
}

Version 2

If the above example works, but a correct username & password doesn’t seem to be accepted, the issue might be that PHP can not access the PHP_AUTH_USER and PHP_AUTH_PW functions.

To correct this you’ll need use a RewriteRule.

The RewriteRule

Use ONE of the following RewriteRules in your Websites root .htaccess file. I do not fully understand this rule, but it appears that:

The PHP_AUTH_USER and PHP_AUTH_PW functions and values of them, when entered into the auth box, is loaded into a variable called HTTP_AUTHORIZATION. The PHP afterward then gets the PHP_AUTH_USER and PHP_AUTH_PW values by accessing the HTTP_AUTHORIZATION variable.

** Test your Website after adding the rewrite rule. Posts, Pages and Images will 404 if you have the incorrect one.

Worked On WordPress Multisite – Put the Rule directly below RewriteEngine On line, within the .htaccess file of your Website.

RewriteRule .? - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

Other Possible RewriteRules: The first RewriteRule below is the most common use rule.

RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
RewriteEngine On
RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization},last]
RewriteEngine On
RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

The Code
Place the function below into your functions.php file for each WordPress Theme/site that you want to protect. Swap out the YOUR-USERNAME and YOUR-PASSWORD with your user/pass info.

if ( $_SERVER['PHP_SELF'] == "/wp-login.php" ) {
    add_action( 'init', 'login_init' );
}
function login_init() {
    $user = "YOUR-USERNAME";
    $pass = "YOUR-PASSWORD";
    get_option('get_header');
    list( $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'] ) = explode( ':', base64_decode( substr( $_SERVER['HTTP_AUTHORIZATION'], 6 ) ) );
    if ( $user == $_SERVER['PHP_AUTH_USER'] && $pass == $_SERVER['PHP_AUTH_PW'] ) {
        header('WWW-Authenticate: Basic realm=""');
        header("HTTP/1.0 401 Unauthorized");
        echo '';
        exit;
    }
 }
  • You can use the same username and password for each site, however I recommend each site has at least a unique password.
  • Do Not use the same username and password that you use to access the WordPress Admin.
  • Don’t forget to sometimes change your username and passwords up.
  • Use Password Management Software like KeePass to manage your passwords.
  • Remember, this is simply an extra layer of security, it for sure is NOT a solid solution for protection – you should still select a very complex master username and password to access the Admin along with other WordPress Security Plugins.

Let me know what you thought of this article by leaving me some quick feedback. ~tribalNerd