Basic Authentication
Basic Authentication (HTTP Basic Authentication) displays a browser authentication dialog when accessing the login page. The WordPress login form will not be shown unless the correct username and password are entered.
As Layer 3 of the multi-layered defense, it sits between Custom Login URL (Layer 2) and reCAPTCHA (Layer 4).
How It Works
When Basic Authentication is enabled, the following flow occurs when accessing the login page:
- The browser requests the login URL
- The server responds with
401 Unauthorizedand aWWW-Authenticateheader - The browser displays an authentication dialog (username and password fields)
- Upon submitting valid credentials, the WordPress login form is displayed
- If authentication fails, the dialog is shown again
Technical Note: SentinelSecurity's Basic Authentication uses PHP HTTP authentication headers (
$_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW']) rather than.htaccess. This means it works safely without modifying your server's.htaccessfile.
Configuration
- Go to SentinelSecurity → Login Security in your WordPress admin dashboard
- Find the Layer 3: Basic Authentication section
- Toggle the switch to Enable
- Enter a Username
- Enter a Password
- Click Save
Settings
| Field | Description | Required |
|---|---|---|
| Enable/Disable | Turn Basic Authentication on or off | — |
| Username | Username for the authentication dialog | Required when enabled |
| Password | Password for the authentication dialog | Required when enabled |
Note: The username and password configured here are separate from your WordPress login credentials. Use different values from your WordPress account.
Defining Constants in wp-config.php
For enhanced security, you can define constants in wp-config.php to manage Basic Authentication credentials:
define( 'SENTINEL_BASIC_AUTH_USER', 'your_username' );
define( 'SENTINEL_BASIC_AUTH_PASS', 'your_password' );When constants are defined, they take priority over values set in the admin panel.
When It Applies
- Custom Login URL enabled: Applied when accessing the custom URL
- Custom Login URL disabled: Applied when accessing
/wp-login.php - Logged-in users: Basic Authentication is skipped
- Works with IP Restriction: Basic Authentication is only triggered after passing IP Restriction (Layer 1)
Important Notes
- If you forget your Basic Authentication username or password, deactivate the plugin via FTP or your hosting file manager to remove the restriction
- Does not affect programmatic access such as REST API clients
- If using a caching plugin, ensure the login page is not cached
Related Documentation
- Login Security (Overview) — Overview of the 5-layer defense
- IP Restriction — Layer 1: Restrict access by IP address
- Custom Login URL — Layer 2: Change the login URL
- reCAPTCHA — Layer 4: Bot protection
- Email Verification (OTP) — Layer 5: One-time password