How to protect WordPress admin login with .htaccess rules

Securing a WordPress admin login is good practice, especially on static WordPress sites that may not have anyone actively logging in. The best way to do this is with a .htaccess set of rules.

The following can be used to restrict access to a single IP address:

RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123.123.123.123$ RewriteRule ^(.*)$ – [R=403,L]

And replace "123.123.123.123" with your IP address.

If you have multiple IP addresses (such as if you have multiple people logging into wp-admin), you will want to use this:

RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123.123.123.121$
RewriteCond %{REMOTE_ADDR} !^123.123.123.122$
RewriteCond %{REMOTE_ADDR} !^123.123.123.123$
RewriteRule ^(.*)$ - [R=403,L]

Replace the IPs with authorized IPs.

Every time your IP changes, you will need to update your htaccess with the new IP, however this will increase security on your WordPress site.

Article Information
  • Article ID: 272
  • Category: WordPress
  • Viewed 234 times.
  • Rating:
    (0)
  • Was this article helpful?
  • Yes No
Did you find this article helpful?