How to Protect Your WordPress Admin and Login Section
— May 28, 2018
• 2 Minutes Read
WordPress has become the favorite target of hackers and cybercriminals because many WordPress users do not really think twice about strengthening the security of the website. In many cases, the attacks are directed toward the admin area and the login section.
Here is a simple two-step process that protects the WordPress admin area and the login section of your website.
Secure The Admin Folder
Note: Do not try this if you are using a dynamic IP address.
An easy, but significant way to protect your WordPress website is by securing access to the admin area. All it takes is adding a simple code snippet to .htaccess file. This code snippet ensures that only you and any designated editors are the only ones allowed to use the admin area. In effect, this step controls access to wp-admin directory section of the WordPress core.
If you don’t already have a .htaccess file, create a blank one in the wp-admin folder. Next, copy the following code and paste it into the .htaccess file. Remember that If you already have code in the .htaccess file, make sure that this snippet goes at the very top:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# SECURE WP-ADMIN <FilesMatch ".*"> # Apache < 2.3 <IfModule !mod_authz_core.c> Order Deny,Allow Deny from all Allow from 123.456.789.000 </IfModule> # Apache >= 2.3 <IfModule mod_authz_core.c> Require ip 123.123.123.000 </IfModule> </FilesMatch> |
Note the two IP placeholders. The next step is to paste your IP address into these placeholders. This step ensures that only the IP addresses mentioned in the snippet are able to access the admin area. To find your IP address, do a Google search for “what is my IP address”. Paster the address into the IP placeholders. You can add as many IP addresses as you wish by copying and pasting these lines with the additional IP addresses.
Protect The Login Page
Next, I will show you how to secure the WordPress login page. The relevant file is wp-login.php.
Locate the .htaccess file in the root directory and paste the following code in it at the top of the existing code:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# SECURE LOGIN PAGE <Files wp-login.php> # Apache < 2.3 <IfModule !mod_authz_core.c> Order Deny,Allow Deny from all Allow from 123.123.123.000 </IfModule> # Apache >= 2.3 <IfModule mod_authz_core.c> Require ip 123.123.123.000 </IfModule> </Files> |
This code protects your login page from unauthorized access.
Again, you need to update the IP address placeholders with your IP addresses. Make sure the IP addresses listed in both the code snippets are same.
Once you have updated and saved the file, the WordPress admin access is on lock-down from any unauthorized outsiders.
To verify whether the security measures are up and running, visit the website from a proxy server to simulate access from an authorized IP address. If all is well, you will see a 403 error message, denying you access to the WordPress login page.
Next, try to access the login page from your authorized IP address. You should now see the login page and be able to enter your credentials.
Do remember though, if you ever update or change your primary IP address, you have to update the .htaccess file accordingly. In the meantime, rest easy knowing your WordPress site is a little more secure.
Create Faster WordPress Websites!
Free eBook on WordPress Performance right in your inbox.
Emin is a web designer at Amberd, a Los Angeles-based design and marketing agency. On his free time, he enjoys writing blog posts about website design and internet security.
