Lock down WordPress admin login with .htaccess

You can lock down the WordPress admin login with some .htaccess rules to prevent unauthorized login attempts.

Limit WordPress admin login attempts

This guide will show how you to limit WordPress admin login attempts by IP address, or referrer.

Below we'll show you, how to get to your .htaccess file, and what edits to make, to limit WordPress admin logins.

    1. Login to your cPanel.
    2. Under the Files section, click on File Manager.
    3. Select the Document Root for your domain.
    4. Ensure that Show Hidden Files is selected.
    5. Then click Go.
  • Right-click on the .htaccess file and select Edit.
  1. You might have a text editor encoding dialog box pop-up, you can simply click on Edit.
  2. There are a few ways to restrict access to your WordPress admin section using this .htaccess file.

    Single IP address access

    You can check your IP to get your computer's IP address.

    To allow access from a single IP address, replace 123\.123\.123\.123 with your own IP address:

    <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
    RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
    RewriteRule ^(.*)$ - [R=403,L]
    </IfModule>

    Multiple IP address access

    You can check your IP to get your computer's IP address.

    To allow access from multiple IP addresses, replace 123\.123\.123\.xxx with your own IP addresses:

    <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
    RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.121$
    RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.122$
    RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
    RewriteRule ^(.*)$ - [R=403,L]
    </IfModule>

    Dynamic IP address access, limit by referer

    If your IP address changes, you can protect your WordPress site by only allowing login requests coming directly from your domain name. Simply replace example\.com with your own domain name

    Most brute force attacks rely on sending direct POST requests right to your wp-login.php script. So requiring a POST request to have your domain as the referrer can help weed out bots.

    <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{HTTP_REFERER} !^http://(.*)?example\.com [NC]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
    RewriteRule ^(.*)$ - [F]
    </IfModule>

  3. Wait at least 15-20 minutes, and try to login to your WordPress site again. If you try to access the WordPress dashboard within the 15 minute window of a block, this could extend the block longer.

    It's important to wait for the previous block to expire and be patient before attempting to access your WordPress site again.

Was this answer helpful?

 Print this Article

Also Read

Why Should I Keep My Wordpress Website Updated

KEEP YOUR SITE UPDATED WITH THE WORDPRESS UPDATE SERVICE FROM ARGON HOSTINGWordPress is an ever...

WordPress Login Temporarily Disabled - FIX

In this tutorial: If you're visiting this page, most likely it is because you have been locked...