Adding basic auth to protect wp-admin

I wanted to add more security to my WP-Admin part of the page so I started thinking and asking around how other people do it. I remembered that my colleagues in Infinum work with a lot of WordPress sites, so I asked them and the answer they gave is to just put basic auth. So I did, and I think it is a pretty okay solution for what I have.

To setup basic auth on Apache web servers first, we need is .htaccess file. To learn more about .htaccess files you can read the official documentation on this link:

https://httpd.apache.org/docs/2.4/howto/htaccess.html

Let’s start with creating a user and a password. To accomplish this task you can run this command

sudo htpasswd -c <location_of_htpasswd>/<name_of_the_file> <username>

#Example
sudo htpasswd -c /etc/apache2/.htpasswd goduser

This command will automatically ask you for a password.

To add new users just omit -c option.

Next, we need to add this bit of configuration in our apache configuration which is located in /etc/apache2/apache.conf:

#Block access to wp admin
<Files wp-login.php>
        AuthName "Admins Only"
        AuthUserFile /etc/apache2/.htpasswd
        AuthType basic
        require valid-user
</Files>
<Location /wp-admin/>
        AuthName "Admins Only"
        AuthUserFile /etc/apache2/.htpasswd
        AuthType basic
        require valid-user
</Location>

<Files admin-ajax.php>
        Order allow,deny
        Allow from all
        Satisfy any
</Files>

After we finish editing we need to restart our apache and we are done

sudo systemctl restart apache2

Now you can check your new authentication on /wp-admin page.