Steven Ferrino

Technical SEO / PHP Developer

You are here: Home / Wordpress / Restrict wp-login.php Access With Htaccess

Restrict wp-login.php Access With Htaccess

by Leave a Comment

There’s always a handful of ways to do anything, and using .htaccess to restrict access to your wp-login.php script fits right in to that logic.

I’m assuming that if you are reading this that you are already aware of the .htaccess file, if you are not…

The .htaccess file is a flat text file that is added to a directory that allows you to add configuration to the webserver for that directory, and all directories beneath it.

The Pros for using .htaccess to modify your websites configuration:

  • It allows you to modify your websites configuration without editing the websites configuration file.
  • It allows you to do things on the fly and test things before adding to your configuration, if you chose to do so.
  • WordPress plugins can access and modify it.
  • Each directory can potentially have its own configuration.

The Cons:

  • It allows you to modify your websites configuration, which can stop your website from working
  • Each item that is downloaded from your website will require a read to the file, creating a performance hit.
  • WordPress plugins can modify it, which means unsafe plugins can have undesirable consequences.

 

In regards to the performance hit, the amount that it does effect is not noticable under normal circumstances, but I wanted to mention it so that the list is accurate. View Apache Performance Hit discussion.

How To Block Access to wp-login.php

With all the Pro’s and Con’s out of the way, lets get to the code.

First, get your IP address: Using Google

Your IP address will be a group of numbers that look like “198.2.132.23”, Your number Will be different.

If you aren’t comfortable with editing .htaccess files, make a backup, if you mess up just put the old one back.

There are multiple ways to edit your .htaccess file, WordPress Plugins, using SSH, using FTP, etc., use which works best for you.

In your .htaccess file, after the lines:

RewriteEngine On
RewriteBase /

Add this:


<Files wp-login.php>
order deny,allow
deny from all
allow from <YOUR IP>
</Files>

An Example using the IP address I showed earlier:


<Files wp-login.php>
order deny,allow
deny from all
allow from 198.2.132.23
</Files>

UPDATE

I have noticed that some of the Spam bots will try to POST directly to xmlrpc.php. The way to combat this is to add it to the same FILES directive above:


 

<Files wp-login\.php | xmlrpc\.php>
order deny,allow
deny from all
allow from 198.2.132.23
</Files>