How to Secure WordPress Admin Login Page

WordPress dashboard is where you can make changes to your website. It is important that it is protected in any way. One way to do this is to limit the access to your WordPress dashboard login page so that unauthorised access will be prevented.  

There are two ways on how to apply a restriction to your WordPress dashboard:  

Important Note: Make sure this process is done overnight when there are least expected visitors on the website. Do the preparations listed below before applying changes to your website:  

  • Secure a backup of WordPress website files. 
  • Secure a backup of WordPress database SQL file. 
  • Check the details of the new version and make sure that it is compatible with the current WordPress version you are using.

Limit Access by IP address 

The instructions below are applicable if you have static IP address (not changing IP). 

Step 1 Log in to cPanel or connect to your FTP. 

Step 2. Click the File Manager button under Files category. Skip this step if you’re using an FTP connection.  

File Manager Button in cPanel

Step 3. Access your WordPress website files and right-click on .htaccess file. If there’s no existing .htaccess file yet, create one by following the instructions on how to set up mod rewrite for WordPress.  

Tip:

Step 4. Click Edit. 

Edit .htaccess Option in File Manager

Step 5. Copy the code below.

RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123.123.123.123$
RewriteRule ^(.*)$ – [R=403,L]

Step 6. Paste it right below the line RewriteBase / as shown in the screenshot below.  

.htaccess Limit Access to an IP Code

The codes inside the box are the ones copied from Step 5.  

Step 7. Replace 123.123.123.123 with your IP address. Follow this link to get your IP address. If you need to allow access to multiple IP addresses, add the codes below for each IP address. 

RewriteCond %{REMOTE_ADDR} !^123.123.123.123$

The text editor should look like what is shown in the screenshot below when setting up multiple IP addresses.  

Limit Access to Multiple IP Addresses

Step 8Click the Save Changes button. 

Save Change Button for .htaccess File

The WordPress admin login page can only be accessible to the IP addresses indicated in the .htaccess file.  

Limit Access to No Referrer Requests 

This option is applicable if your IP address is changing from time to time. This process disallows unwanted scripts to compromise your WordPress admin login and only allows requests to be handled via WordPress admin URL or your domain name.  

Step 1 Log in to cPanel or connect to your FTP. 

Step 2. Click the File Manager button under Files category. Skip this step if you’re using an FTP connection.  

File Manager Button in cPanel

Step 3. Access your WordPress website files and right-click on .htaccess file. If there’s no existing .htaccess file yet, create one by following the instructions on how to set up mod rewrite for WordPress 

Tip:

Step 4. Click Edit. 

Edit .htaccess Option in File Manager

Step 5. Copy the code below. 

RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .*/(wp-comments-post|wp-login)\.php.*
RewriteCond %{HTTP_REFERER} !.*yourdomain.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://%{REMOTE_ADDR}/$1 [R=301,L]

Step 6. Replace yourdomain.com with the domain/subdomain of your website.  

Step 7. Paste it right below the line RewriteBase / as shown in the screenshot below. 

Add No Referrer Codes to .htaccess

Step 8. Click the Save Changes button. 

Save Change Button for .htaccess File

Changes to WordPress admin logins is now limited to your domain name access.  

Tip: Plugins can also be used to apply these limitations. Here are some plugins to try

Do not hesitate to contact our Singapore or Australia Support Team if you have further questions. 

(Visited 450 times, 1 visits today)

Was this article helpful?

Related Articles