This plugin hasn’t been tested with the latest 3 major releases of WordPress. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.

Password Protection


This plugin helps prevent annoyance from multiple brute force login attempts to your site. It does this by adding an additional authentication method. Once you enable the plugin
and enter a username and password ( please use a different username and password than your WordPress admin account ). Any user or bot that attempts to access wp-admin or your login page
will be required to successfully enter the additional authorization details before allowed access to the WordPress login page. You can also set your login page to not allow direct access
without a valid referrer header from your site. Please Note: No security plugin will provide 100% protection from hackers. This plugin simply makes it harder for them to gain access using
automated techniques. Please remember to ALWAYS KEEP UP TO DATE BACKUPS and use STRONG PASSWORDS!!

PLEASE NOTE: Very Limited support will be offered for this plugin but it will be kept up to date and any bugs can be reported on the github page at


  • HTTP Authentication on Chrome, your browser my not look the same but it should be similar.
  • The admin interface.


  1. Upload the password-protection folder to the /wp-content/plugins/ directory
  2. Activate the plugin through the ‘Plugins’ menu in WordPress
  3. Visit the settings page and enter a username and password to be used as the secondary authorization


Will this plugin keep my site from being hacked?

NO! No plugin can keep your site from being hacked but this plugin will stop annoying brute force attempts to your login page.

What is a No-Referrer Request?

A No-Referrer Request is a direct request made to your wp-login.php file. Normally when you go to wp-admin and you are not logged in WordPress will redirect you to wp-login.php. When this happens the referrer is from your same domain. Bots and automated scripts normally make direct post requests to wp-login.php without a referrer. This plugin can block all requests without a referrer or requests from a referrer that is not from your domain.

What if I forget my Password?

If you forget your password there is no way to recover it because it is stored as an encrypted hash. If you forget your password you will have to disable the plugin by changing the name of the password-protection using FTP. Once disabled and you log in you can then re activate the plugin and enter a new password on the settings page.


There are no reviews for this plugin.

Contributors & Developers

“Password Protection” is open source software. The following people have contributed to this plugin.


Translate “Password Protection” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.



  • Fixed bug that prevented authentication from activating on certain server configurations
  • Added password confirmation to settings page
  • Better blocking for no-referrer requests to wp-login.php


  • Changed password hashing to use wp_hash_password and wp_check_password *props chrisguitarguy
  • Fixed bug that bypassed block when WordPress was installed in sub directory or query string was appended to url *props chrisguitarguy
  • Block No-Referrer requests option checked by default
  • Added version check and update function to clear current password for upgrading users to force change and use of new password hashing


  • Initial Version