How to deny access to admin login page in WordPress?

---

Many of you who use WordPress sites are probably having problems with attempted brute force attacks on wp-login.php page on your site back-end. Even if you don’t have that kind of problems, it’s better to tighten your security then to leave back-end for everyone to see.

I will show you a way to allow only your IP to access the site, if you are using a firewall like CSF then you will be protected (if it’s configured correctly), but if you are not using any firewall you have two options:

1. To go for a plugin which will help you block access to wp-login area or to hide that area – but using plugin is not so smart and often it can be a burden for your resources (especially if you have a lot of plugins), my policy is, the less things you can do without the plugin – the better.

2. To add a rule to your .htaccess file which will block any traffic to your wp-login page except the IP address which you allow – assuming that you use Apache web server, if you use Nginx – please continue with reading – I will also explain procedure for Nginx.

How to deny access to wp-login if you are using Apache?

---

So, assuming that you decided to follow my advice and that you are using Apache web server here is what you need to do:

Locate your .htaccess file – it is in public directory of your site – it’s often set as hidden if you use FTP manager from Cpanel – so you will have to locate and check the option to show you hidden files.

When you located your .htaccess file – make a copy of it, download to your computer or just rename a copy, that is a wise precaution if you make some mistake by accident. If you are using FTP access from Cpanel it has its own editor, but if you are using some other tools for FTP access, like FileZilla or WinSCP then I recommend to get Sublime or Notepad++ text editors.

When you finally open .htaccess file – go to last line and add this code:

# block wp-login access
 <Files wp-login.php>
 order deny,allow
 Deny from all
 # whitelist desired IPs
 allow from xx.xxx.xxx.xx
 allow from xxx.xx.xxx.xx
 </Files>

Just replace x-es with numbers from IP address for which you want to allow wp-login access. It’s simple and easy.

How to deny access to wp-login if you are using Apache and CloudFlare?

---

This is all nice but what if some of you are using CloudFlare? Then this will not work for you, it will not accept that syntax. But no worries – I have the solution, instead of that code, insert this one:

# block access to wp-login if you are using CloudFlare
 <Files admin-ajax.php>
 SetEnvIf X-FORWARDED-FOR xx.xxx.xxx.xx allow
 SetEnvIf X-FORWARDED-FOR xxx.xxx.xxx.xxx allow
 order deny,allow
 deny from all
 allow from env=allow
 </Files>

As previously being said, just replace x with numbers from desired IP address and voila.

How to deny access to wp-login if you are using Nginx?

---

With that previously shown we covered Apache, but what if you are using Nginx web server instead of Apache – no worries, here is what you need to do:

You need to locate nginx configuration file, on most servers it’s in /etc/nginx/nginx.conf

Make a copy of it and rename it or save it into your computer, because you can accidentally break something, so you need a way to restore it in that case.

Open file and locate your server block – pay attention to brackets, and inside the server block paste this code:

location ~ ^/(wp-admin|wp-login.php) {
allow xx.xx.xx.xx;
deny all;
}

After you done that, input desired IP address there, save the file and don’t forget to reload nginx for changes to apply. If you have server access use this command:

service nginx reload

P.S. If you are using shared hosting – you will not have access to this command – I’m sorry but that is what you get for using shared hosting.

I hope that you learned something new from this article, if you have something to add - comment section awaits :)