Secure access to WordPress admin using .htaccess

Follow

Introduction

Access to your WordPress administrator section can be restricted by IP address by adding rules to the websites .htaccess file. This is located in the public_html folder.

This may assist in mitigating brute force attacks targeting the administrator credentials.

Accessing the .htaccess file

You can access the .htaccess file by either:

  • Using 'file manager' in cPanel to navigate the the file and selecting edit
  • SSH - If you have SSH access then you can edit the file using a text editor such as vim

If you do not see the .htaccess file in file manager please refer to this article:
https://help.serversaustralia.com.au/hc/en-us/articles/202885560-Understanding-Hidden-Files

Restricting access to one IP address

Add the following rule to your .htaccess file, replacing " 999\.999\.999\.999 " with your own IP address, including the backslashes before the full stops e.g. 221\.121\.55\.145

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^999\.999\.999\.999$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

Restricting access to multiple IP addresses

Add the following rule to your .htaccess file, replacing " 999\.999\.999\.999 " with your own IP addresses, including the backslashes before the full stops e.g. 221\.121\.55\.145

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^999\.999\.999\.999$
RewriteCond %{REMOTE_ADDR} !^999\.999\.999\.999$
RewriteCond %{REMOTE_ADDR} !^999\.999\.999\.999$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

Have more questions? Submit a request

Comments

Powered by Zendesk