Skip to main content

In this easy-to-follow tutorial, you’ll learn how to protect WordPress Admin and Login sections from hackers. These two sections are the main target area that hackers use to gain access to your website’s backend.

Protection is a must!

Besides securing WordPress Admin and Login sections, you should also take an extra few minutes to secure your installation and configuration files.

To do so, follow these two easy tutorials.

  1. 3 Easy Ways to Protect Your WordPress Installation File
  2. 3 Ways to Protect the WordPress Configuration File

Step 1: Secure The Admin Folder

Please note: Do not try this if you are using a dynamic IP address.

An easy, but significant way to protect your WordPress website is by securing access to the admin area. It only takes a small code to add to your .htaccess file to secure it and ensure you and designated editors, are the only ones allowed to use the admin portal.

The folder we will insert this code into is the wp-admin directory section of the WordPress core files.

To protect this entire directory, navigate to the wp-admin folder, then create a blank .htaccess file if you do not already have one.

Create htaccess file

Now, copy the below code and past it into the .htaccess file you just created.

# SECURE WP-ADMIN

<FilesMatch ".*">

# Apache < 2.3

<IfModule !mod_authz_core.c>

Order Deny,Allow

Deny from all

Allow from 123.456.789.000

</IfModule>

# Apache >= 2.3

<IfModule mod_authz_core.c>

Require ip 123.123.123.000

</IfModule>

</FilesMatch>

If you already had an .htaccess file in place and had some other code, be sure this one goes above all the others.

The next step is to paste your IP address into the IP address placeholders. This step ensures that the admin controls are only accessed from your IP address.

To find your IP address, do a Google search for “what is my IP address.”

What's my IP?

Copy the provided address and replace it with the two fake IP addresses in the .htaccess code.

Just like it is done in the screenshot below.

htaccess admin protection

You can add as many IP addresses as you wish by copying and pasting these lines with the alternative IP addresses.

If the code is working correctly, your site has protection from any access attempts outside of the listed IP addresses. After adding all desired IPs, save and upload the file to the server.

Step 2: Protect The Login Page

In this section, we will secure the login page of WordPress, the wp-login.php file.

In the same .htaccess file that we were working on in Step 1, copy and paste the below code on top of the existing code.

# SECURE LOGIN PAGE

<Files wp-login.php>

# Apache < 2.3

<IfModule !mod_authz_core.c>

Order Deny,Allow

Deny from all

Allow from 123.123.123.000

</IfModule>

# Apache >= 2.3

<IfModule mod_authz_core.c>

Require ip 123.123.123.000

</IfModule>

</Files>

This code protects outside sources from accessing your login page.

Again, you need to update the IP address placeholders to reflect your desired IPs. Make sure the IP addresses listed are the same for both files. Any time you add additional IPs to the login file, you have to add the new address to the directory file.

IP address. Protect WordPress login page.

After you have made sure your IP addresses match in all files, you can save and upload this new snippet to the server. After this second segment of coding uploads, your WordPress admin access is on lock-down from any meddlesome outsiders.

To check to see if your coding has been uploaded successfully, visit your site from a proxy server to simulate using an outside IP address.

There are free proxy servers all over the internet you can use. Hide.me is the one we recommend.

Use the one you like and paste your WordPress admin URL into the test bar and click enter or go.

If the code is working properly, the page should return a 403 error message denying you access to the WordPress login page.

Next, try to access the login page from your IP address. Paste the URL directly into the HTTP space and hit “enter.” You should now see the login page and be able to enter your credentials.

How to protect WordPress Admin and Login sections

An alternative plugin solution

If you are using SG Security by SiteGround, you do not have to worry about doing this manually, you can just use the plugin to take care of this for you.

Install the plugin, activate it, then head over to the Login Security area then click on the CONFIGURE button on the Login Access section.

SG Security Login Access

Once there, click on the plus icon to add as many IP addresses as you want.

This will protect your WordPress Admin and Login sections from hackers and malware.

SG Security IP access

These simple steps can radically increase the website’s security and protect WordPress Admin and Login sections from outside attach.

Do remember though, if you ever update or change your primary IP address, you have to make the update to both files to access your login page successfully.

In the meantime, rest easy knowing your WordPress site is a little more secure!

Skip to content