• The purpose of this plugin is to create additional password protection for the wp-login page, or the wp-admin folder, or even your entire site. It does this by the standard method of adding code to the .htaccess file that gets an additional username and password from a .htpasswd file (in which the MD5 hash of the password is used rather than the password itself).

    So far so good: it works, but it could be better – hence four stars.

    When you open the plugin’s settings page, it asks you to enter a new user. At first I thought I had to enter my WordPress username, but in fact it wants the new username that you want to use for the additional login box. I realised that when I thought about it, but it should be made clearer.

    More seriously, it puts the .htpasswd file in the same directory as the .htaccess file that it has modified. That is within the webroot, and so is accessible via http – although the plugin author has attempted to mitigate this by adding some more code to .htaccess preventing Apache from serving .ht* files. Much better is to put the .htpasswd file into the private folder, which is outside the webroot. I did that manually by moving the file and altering the location in .htaccess, both of which can be done using FTP, but it’s not convenient.

    Conclusion: using the plugin is quicker than doing the whole thing manually. It would be quicker still if the settings page allowed you to choose where .htpasswd should be placed. The main advantage of the plugin is that it creates the .htpasswd file automatically; otherwise you would need console access to the server in order to run a script to create the file, or the ability to calculate the MD5 hash of the password if you want to create the file in a text editor.

  • The topic ‘Useful but in need of improvement’ is closed to new replies.