How to use .htaccess to Secure WordPress Login | WebSurf Media

How to use .htaccess to Secure WordPress Login

One of the most common ways of attacking WordPress websites is a brute force algorithm, which basically equates to accessing your WordPress login page and making virtually endless automated attempts at the credentials (username and password) until the correct match is found and access to wp-admin is gained.

As far back as April 2013, vast brute force attacks happened on WordPress websites on various hosts; including well-known providers such as HostGator, Sucuri, InMotionHosting, etc. hundreds of thousands of WordPress websites were compromised.

That happened 3 years ago, sure; but that’s no reason to become complacent in matters of security. WordPress websites have always been irresistible to malicious activity, simple because one field attack gives high yield. Multiple WordPress websites can be targeted and successfully breached.

Secure WordPress login

That does not mean you can lay down your arms and switch to different platform: Keep in mind that on the web, nothing is safe. What you can do is protect your WordPress admin and login from brute force attacks by blocking unauthorized access.

How you do it: by limiting access to a single (or a handful of) trusted IP address(es).

In this post, I’ll walk you through the process of how it’s done. As the title suggests, you’re going to need your .htaccess file and a bit of moxie.

But first, you need an understanding of static and dynamic IPs and the difference between the two:

Difference between static and dynamic IPs

IP (Internet Protocol) is a unique sequence of numbers which denotes the address of a device on one network. It’s of two types: Static (never changes) and Dynamic (changes and assigned by network during connection).

Nowadays, most devices use dynamic IPs, but we’ll cover both types just to be on the safe side.

Alright, now that’s out of the way, make sure that you know your IP address and compile a list of IP addresses (of people who are co-admins or whom you trust). You can go to this link: to find your IP address.

Static IP

Restricting access to single address:

Note that if you are using the CloudFlare CDN or have a DNS level content filtering enabled, then this method won’t work at all.

In your .htaccess file, paste the following and replace x.x.x.x with your IP address (leave the $ at the end of it!):

RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^x.x.x.x$
RewriteRule ^(.*)$ – [R=403,L]

Restricting access to multiples addresses:

This works exactly like the previous method, except there are more than one IP addresses we will add. These addresses will be only ones that can access the wp-login and wp-admin.


Go to your .htaccess file and replace x.x.x.1 (or 2, or 3) with the IP addresses of your choice.

RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^x.x.x.1$
RewriteCond %{REMOTE_ADDR} !^x.x.x.2$
RewriteCond %{REMOTE_ADDR} !^x.x.x.3$
RewriteRule ^(.*)$ – [R=403,L]

If there are more than three, simply repeat the RewriteCond %{REMOTE_ADDR} !^ followed by another IP address (and a $).

With these methods, you have successfully limited the access to wp-admin and wp-login pages to a couple of IP addresses only. Anyone else trying to gain access to these pages will see a 404 Error Not Found page instead.

Dynamic IP

Limit access by referer

If you have a dynamic IP (you most likely do), then limiting access through previous methods won’t cut it because your IP address will change constantly depending on which network you are on. For such cases, you can limit access to wp-admin and wp-login by domain name.

How does this work

Like devices, websites have their own unique numerical addresses too. With DNS (Domain Name System), we are able to translate addresses into human readable ones. For instance: going to is theoretically the same as going to IP address

Getting back to topic at hand

In case of dynamic IP, you can lock out any login requests that did not come directly from your domain name. Since brute force attacks typically originate outside individual domains and work by sending POST requests to your websites wp-login.php script, you can ensure that you are not swept by a wave of bot attacks with this method.

Simply replace website-URL with your own domain name:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(.*)?website-URL\.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ – [F]

Note: Wait for at least 20 minutes before trying to login to your WordPress after implementing this block.

End note

No method is foolproof. Just remember that before getting your hopes too high.

The method is pretty successful in blocking access to wp-login and wp-admin scripts, which are usually the first targets of any attack. To protect the rest of your website, learn more about hardening WordPress security.

Author bio: Tracey Jones is a front-end WordPress web developer at HireWPGeeks Ltd., building highly custom WP websites for businesses. Besides this, she is also an enthusiastic blogger who is interested in writing everything about new web development trends in the market. You can also follow her on Twitter.


Leave a Reply

Your email address will not be published. Required fields are marked *