Through the password protection section, you can allow web access to certain parts of your account only to people who have valid login credentials for them.
To enable the protection, you need to browse to the directory you want to protect at the Web Access Protection section. You should note that the protection works recursively and will affect all lower-level directories.
There are two types of authentication available - plain and digest. The plain method is recommended for sites with SSL certificates, while the digest method is recommended for non-HTTPS sites. Once you select the method, you need to specify the new user at the Add user field, and then you need to specify the password twice at the fields below. The user will be created upon clicking on the Add button.
You will notice that there is a password strength indicator below the Password field. It will update in real time as you are entering your new password. There are five distinct levels of password strength: Very Weak, Weak, Fair, Strong, and Very Strong. This will help you select a strong password for the user you are adding.
You can find general information on how to choose a strong password and secure it in our Password tips article.
If you wish to remove the password protection, you need to delete all the users that are created.
Protecting the WordPress Dashboard (wp-login.php files)
Besides directories, the Web Access Protection interface allows you to protect wp-login.php files. Wp-login.php is the file that is used to log in to the administrative interface of a WordPress installation. In case of a brute-force attack against your WordPress installation, the additional layer of web access protection for the wp-login.php file might be useful.
If a directory contains a wp-login.php file, it will be listed below the subdirectories. To protect the web access to it, you need to click on the Plain or Digest buttons next to it and add a user. When wp-login.php is protected, and you try to log in to the administrative section of your WordPress, first you will have to bypass the web protection with the username/password you created, and after that use your WordPress username/password.
You can manage this protection more easily via the hosting Control Panel > WordPress Manager by following the steps listed in our Improving WordPress security article.