Password protecting your WordPress admin area through a layer of HTTP authentication is an effective measure to thwart attackers attempting to guess users’ passwords. Additionally, if attackers manages to steal a user’s password, they will need to get past HTTP authentication in order to gain access to WordPress login form.
in Apache HTTP Server, you can achieve this by creating a .htpasswd file and adding a few configuration directives described below.
.htpasswd file stores combinations of usernames and password hashes which the web server will use to authenticate users. You can create a
.htpasswd file using the htpasswd command line or using an online password file generator.
Several Linux distributions install the htpasswd utility together with Apache itself, however, most Debian and Ubuntu users will need to install the apache2-utils package as follows.
apt-get update apt-get upgrade apt-get install apache2-utils
Once htpasswd is installed, run the following command to create a new
.htpasswd file with a single user. The following command will create a new
.htpasswd file located at /srv/auth/.htpasswd with a username of myuser. htpasswd will then prompt you to enter and then confirm the password of your choice.
htpasswd -c /srv/auth/.htpasswd myuser
.htprefix are not served by Apache, however this should not be assumed.
To enable basic HTTP authentication on the WordPress administration area, you need to activate the directive described below on the wp-admin directory and reference the .htpasswd file created earlier. Insert the following lines into the appropriate <Directory> section of your server’s Apache configuration file or in an .htaccess file within the wp-admin directory.
AuthType Basic AuthUserFile /srv/auth/.htpasswd AuthName "WordPress Authenticated area." Require valid-user
AuthType directive is specifying that the authentication type. In this case, Basic authentication is being configured.
AuthUserFile directive specifies the full path to the
.htpasswd file. This file is the file that shall be used to store password hashes which the server shall later use to authenticate users with.
AuthName directive contains an arbitrary message which the browser will present to the user upon authentication. The Require valid-user setting simply instructs Apache to allow any valid user to authenticate.
.htare not web-accessible in most default configurations of Apache, but this should not be assumed.
Read the entire article on How to prevent a WordPress hack