HTTP authentication adds a secondary layer of WordPress security that protects the admin dashboard — or wp-admin — by requiring the user to submit further authentication. After creating the .htaccess file for protecting the WordPress wp-admin folder, you should create a username and password database file for HTTP authentication. In other words, you simply need to create an WordPress htpasswd file.

HTPASSWD files are used to protect your website or specific directories using HTTP Authentication, and contain a list of usernames and hashed passwords. Apache will use this information to authenticate users who want to access a password protected website or web page, by prompting the user with a HTTP Authentication dialog.

An .htpasswd file contains a list of usernames followed by the colon “:” character, and ending with a hashed password — similar to the example below:

steven:$apr1$k7QjkNty$tSd4grHRifUzCC8L9EBN51
jones:$apr1$Z5SbWNdp$oJqAVhLCvVRMSgeEADeT6/

Creating a .htpasswd file

You can create an .htpasswd file using any of of two methods. The easiest and fastest method — ideal for beginners — is to use an online htpasswd Generator. The second method involves generating the .htpasswd file manually. The manual method provides more flexibility, although some technical experience is recommended.

The manual method

You need a tool called “htpasswd” in order to create a .htpasswd file. If you are running Windows you can install Xampp, or Apache web server for Windows — or any other similar server software that is typically shipped with the ‘htpasswd’ tool. To launch the htpasswd tool, navigate to the tool’s directory via command line. In a typical Apache installation, the tool can be found in the bin sub directory.

Once your command line interface is in the directory containing htpasswd.exe, type htpasswd.exe and hit enter. A list of available htpasswd.exe parameters will be shown for your reference. To create a new .htpasswd file, type the following command in the prompt.

“htpasswd –cm [<em>passwordfilename</em>] [<em>username</em>]”

 

You will then be asked to enter a password for the specific username. By default, the .htpasswd file will be generated in the same directory where the actual htpasswd.exe tool resides. You can use the ‘-c’ parameter to create a new .htpasswd file and the –m parameter to encrypt the submitted password using MD5 hash. If you wish to add more usernames to the current password file, just use the same command without specifying the –c parameter as follows:

“htpasswd –m [<em>passwordfilename</em>] [<em>username</em>]”.

 

Note: Installing Xampp or Apache on your computer requires a web server to be installed and running on your computer. If not configured properly, a web server could open a security vulnerability on your machine, so it’s not advisable to use any mission-critical computers if you’re not confident with this process.

Once the .htpasswd file is created, store/save the file in the same location specified in the .htacess file under the AuthUserFile directive. You can read more on how to use .htaccess files to secure your WordPress installation here: htaccess Files and WordPress Security.

SHARE THIS POST
THE AUTHOR
Acunetix

Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.