WP-Mix

A fresh mix of code snippets and tutorials

Secure WordPress Login Page

If you try to log in to some of my WordPress-powered sites via the WP Login Page, you will be met with a 403 “Forbidden” response. For sites where I am the only registered user, I lock things down to prevent endless waves of drip force attacks. It really helps to reduce server load, conserve memory, and keep things extra secure (along with super-strong passwords).

Allow access ONLY for your IP address

The idea is simple: deny all IP addresses (everyone) and then explicitly allow access to only one (or more) IPs. Using this technique over the years, I have blocked hundreds of thousands if not millions of brute-force attacks and other nefarious exploits.

So use a free online tool to grab your IP address, and then plug it into the following Apache/.htaccess code (both locations):

<Files wp-login.php>
	# Apache <= 2.2
	<IfModule authz_core_module>
		Require ip 93.184.216.34
	</IfModule>
	# Apache 2.4+
	<IfModule !authz_core_module>
		Order Deny,Allow
		Deny from all
		Allow from 93.184.216.34
	</IfModule>
</Files>

How it works: this code first checks to see if the current request is for wp-login.php, i.e., the WordPress Login Page. If so, then the code checks your version of Apache and executes whichever rules are supported. Either way, the result is that everyone will be denied access to the Login Page except for the specified IP address.

Usage

Before adding this code, make sure to replace the IP address 93.184.216.34 (example.com) with your own. And if you want to be extra extra secure, escape each dot . with a backslash like so:

93\.184\.216\.34

Otherwise, left unescaped, the dots act as wildcard that match any character. Either way, in addition to this “secure login” technique, remember to always use super-strong passwords for all users.

Also: This code should be placed in the .htaccess file that is located in the same directory as wp-login.php. Technically you only need one or the other <IfModule> rule blocks, depending on your version of Apache; but if you don’t know that’s fine: just add the entire code snippet and you’re good to go. Apache is smart and will use whichever rules it understands. Here is more information and tips about access control for Apache 2.4 and 2.2.

Remember to test thoroughly after implementing this technique.

Allowing multiple IP addresses

To allow more than one IP address, should look like this:

<Files wp-login.php>
	# Apache <= 2.2
	<IfModule authz_core_module>
		Require ip 111.222.000
		Require ip 222.111.000
		Require ip 121.121.121
	</IfModule>
	# Apache 2.4+
	<IfModule !authz_core_module>
		Order Deny,Allow
		Deny from all
		Allow from 111.222.000
		Allow from 222.111.000
		Allow from 121.121.121
	</IfModule>
</Files>

Remember to replace the IP addresses in this example with the IPs that you want to allow access to the WP Login Page. And as explained previously, you can escape each of the dots to make the pattern match (regex) ever more precise.

Learn more

WordPress Themes In Depth