There are multiple ways to protect wp-login.php. The best way is through Domain Level Firewall. If you don’t have access to it, this NInja Firewall Plugin will serve as a FIrewall. The beauty of this plugin is that it is free and none of the other plugins we tested provide this level of protection. So, let’s first install and activate the Ninja Firewall WP Edition Plugin and follow the steps below for a secure WordPress website.
Activate Full WAF
First, let’s activate the Ninja Firewall’s Full Web Application Firewall instead of running the default WAF. Go to the dashboard and you will see this message when you install it for the first time.
Before you proceed, activating Full WAF depends on your Hosting Panel. I have explained both methods. The first method is for Custom Panels, the next is for C-Panel Hostings.
Important: Before Proceeding and Clicking on Activate, take a backup of your WordPress first. Things rarely go wrong. If you want to know the ways to backup WordPress, have a look at our article about 4 Methods to Backup WordPress.
For Custom Control Panels
Now once you have a backup of your site, you can proceed with Activating the Full WAF mode. You may face problems during the automatic process. In case WAF is not activated, go with the manual method by adding the lines which the plugin provides to your ‘.htaccess’ file in the ‘public_html’ folder.
# BEGIN NinjaFirewall
<IfModule Litespeed>
php_value auto_prepend_file "/home/hostingid/domains/wpclimax.info/public_html/wp-content/nfwlog/ninjafirewall.php"
</IfModule>
# END NinjaFirewall# BEGIN NinjaFirewall
<IfModule Litespeed>
php_value auto_prepend_file "/home/hostingid/domains/wpclimax.info/public_html/wp-content/nfwlog/ninjafirewall.php"
</IfModule>
# END NinjaFirewallIf you get this error, you just need to refresh.
For C-Panel Hostings
Folks with C-Panel need not edit the ‘.htaccess’ file. You can activate NinjaFirewall’s Full WAF Mode by editing ‘.user.ini’ File located in the home directory. Once found, right-click on that and select edit.
Ninja Firewall will provide you with the lines which you must paste in ‘.user.ini’ of your hosting. Once you Save it, .user.ini when viewed should display the code like this,
Now when you check back on the Ninja Firewall dashboard, you have your Full WAF activated successfully. Below is the screenshot of what the message should look like when everything is done in order.
If you still face issues, kindly contact your hosting provider. Or you can also comment below for any troubles you face. Now let’s move to our main topic of discussion
Activate wp-login.php Protection
The process is easy. Simply go to the ‘Login Protection‘ tab under Firewall options. You need to click on ‘Enable‘. You will be prompted with the below page, enter the information as mentioned. Here you also need to set a separate ID and Password for the Firewall Page.
If you don’t use any Domain Level Firewall, it is very important to activate the Protection for XML-RPC too. Protecting the xmlrpc.php is as important as protecting wp-login.php. All of the Brute-Force attempts will be shifted to the xmlrpc.php if wp-login.php is not directly accessible.
Now when you access your WordPress Login page from the guest window, you will be welcomed by the firewall lock. In order to continue, you must enter the credentials you used in the above login protection options.
Now in case, you forget it, no worries. Through FTP/ Hosting File Manager, rename the Ninja Firewall Plugin folder by adding ‘.old’ to the end of it. Now Login back.
When you are in the WordPress Dashboard, you will see an error message saying that some files are missing. Now go back to ‘File Manager’ rename the folder back. Remove ‘.old’.
Now back in WordPress Dashboard, refresh the page. The message is gone. Go back to Plugins and Activate Ninja Firewall. Go to Login Options and change the username/ password.
If you would like any help let us know in the comments below. We would love to answer.