Lock down WordPress admin login with .htaccess (or) wp-admin access limit using .htaccess

Lock down WordPress admin login with .htaccess

Written by Jacob Nicholson

Views: 84,723

Published: Jul 5, 2014

Comments: 80

You can lock down the WordPress admin login with some .htaccess rules to prevent unauthorized login attempts.

If your WordPress access is blocked due to WordPress brute force attacks this will help.

Limit WordPress admin login attempts

This guide will show how you to limit WordPress admin login attempts by IP address, or referrer.

Below we'll show you, how to get to your .htaccess file, and what edits to make, to limit WordPress admin logins.

Login to your cPanel.
Under the Files section, click on File Manager.
Select the Document Root for your domain.
Ensure that Show Hidden Files is selected.
Then click Go.

 
Right-click on the .htaccess file and select Edit.

 
1. You might have a text editor encoding dialog box pop-up, you can simply click on Edit.
2. There are a few ways to restrict access to your WordPress admin section using this .htaccess file.
   These rules should be placed at the very top of your .htaccess file to function properly.
   Restrict WordPress admin access via:

   Secondary WordPress admin .htaccess password(Recommended if your IP changes)

   A single IP address

   Multiple IP addresses

   Trusted referrers
   Single IP address access

   You can check your IP to get your computer's IP address.

   If you are using CloudFlare or a DNS level filtering service, this method won't work, you'll want to setup a secondary WordPress .htaccess password for protection instead.

   To allow access from a single IP address, replace 123\.123\.123\.123 with your own IP address:

   <IfModule mod_rewrite.c>
   RewriteEngine on
   RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
   RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
   RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
   RewriteRule ^(.*)$ - [R=403,L]
   </IfModule>

   Multiple IP address access

   You can check your IP to get your computer's IP address.

   If you are using CloudFlare or a DNS level filtering service, this method won't work, you'll want to setup a secondary WordPress .htaccess password for protection instead.

   To allow access from multiple IP addresses, replace 123\.123\.123\.xxx with your own IP addresses:

   <IfModule mod_rewrite.c>
   RewriteEngine on
   RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
   RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
   RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.121$
   RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.122$
   RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
   RewriteRule ^(.*)$ - [R=403,L]
   </IfModule>
   Dynamic IP address access, limit by referer

   If your IP address changes, you can protect your WordPress site by only allowing login requests coming directly from your domain name. Simply replace example\.com with your own domain name

   Most brute force attacks rely on sending direct POST requests right to your wp-login.php script. So requiring a POST request to have your domain as the referrer can help weed out bots.

   <IfModule mod_rewrite.c>
   RewriteEngine on
   RewriteCond %{REQUEST_METHOD} POST
   RewriteCond %{HTTP_REFERER} !^http://(.*)?example\.com [NC]
   RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
   RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
   RewriteRule ^(.*)$ - [F]
   </IfModule>
3. Wait at least 15-20 minutes, and try to login to your WordPress site again. If you try to access the WordPress dashboard within the 15 minute window of a block, this could extend the block longer.
   It's important to wait for the previous block to expire and be patient before attempting to access your WordPress site again.