Knowledge Base
How To Secure WordPress Admin Login Page
WordPress dashboard is where you can make changes to your website. It is important that it is protected in any way. One way to do this is to limit the access to your WordPress dashboard login page so that unauthorised access will be prevented.
There are two ways on how to apply a restriction to your WordPress dashboard:
IMPORTANT: Make sure this process is done overnight when there are least expected visitors on the website. Do the preparations listed below before applying changes to your website:
- Secure a backup of WordPress website files.
- Secure a backup of WordPress database SQL file.
- Check the details of the new version and make sure that it is compatible with the current WordPress version you are using.
Limit Access by IP address
The instructions below are applicable if you have static IP address (not changing IP).
- Log in to cPanel or connect to your FTP.
- Click the File Manager button under Files category. Skip this step if you’re using an FTP connection.
- Access your WordPress website files and right-click on .htaccess file. If there’s no existing .htaccess file yet, create one by following the instructions on how to set up mod rewrite for WordPress.
TIP:
- The main domain’s website files are in public_html folder
- An addon domain’s website files are in the addon directory.
- A subdomain’s website files are in the subdomain’s directory.
- Click Edit.
- Copy the code below.
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR] RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$ RewriteCond %{REMOTE_ADDR} !^123.123.123.123$ RewriteRule ^(.*)$ – [R=403,L] - Paste it right below the line RewriteBase / as shown in the screenshot below:
The codes inside the box are the ones copied from Step 5.
- Replace 123.123.123.123 with your IP address. Follow this link to get your IP address. If you need to allow access to multiple IP addresses, add the codes below for each IP address.
RewriteCond %{REMOTE_ADDR} !^123.123.123.123$
The text editor should look like what is shown in the screenshot below when setting up multiple IP addresses.
- Click the Save Changes button.
The WordPress admin login page can only be accessible to the IP addresses indicated in the .htaccess file.
Limit Access to No Referrer Requests
This option is applicable if your IP address is changing from time to time. This process disallows unwanted scripts to compromise your WordPress admin login and only allows requests to be handled via WordPress admin URL or your domain name.
- Log in to cPanel or connect to your FTP.
- Click the File Manager button under Files category. Skip this step if you’re using an FTP connection.
- Access your WordPress website files and right-click on .htaccess file. If there’s no existing .htaccess file yet, create one by following the instructions on how to set up mod rewrite for WordPress.
TIP:
- The main domain’s website files are in public_html folder
- An addon domain’s website files are in the addon directory.
- A subdomain’s website files are in the subdomain’s directory.
- Click Edit.
- Copy the code below.
RewriteCond %{REQUEST_METHOD} POST RewriteCond %{REQUEST_URI} .*/(wp-comments-post|wp-login)\.php.* RewriteCond %{HTTP_REFERER} !.*yourdomain.com.* [OR] RewriteCond %{HTTP_USER_AGENT} ^$ RewriteRule (.*) http://%{REMOTE_ADDR}/$1 [R=301,L] - Replace yourdomain.com with the domain/subdomain of your website.
- Paste it right below the line RewriteBase / as shown in the screenshot below.
- Click the Save Changes button.
Changes to WordPress admin logins is now limited to your domain name access.
TIP: Plugins can also be used to apply these limitations. Here are some plugins to try:
Do not hesitate to contact our Singapore or Australia Support Team if you have further questions.
Did you find this article helpful?