HOW TO HIDE YOUR WORDPRESS LOGIN PAGE

 

Want to frustrate hackers with a good ‘ole fashioned game of hide and seek? If so, hiding your WordPress login page is a great way to secure your site from both targeted hacks and automated brute-force attacks.

 

The easy, yet less secure way – is using a plugin
The harder, yet way more secure way – is using tride and true .htaccess

 

So let’s get started.

 

WHY SHOULD YOU CARE ABOUT HIDING WP-LOGIN.PHP, ANYWAY?

Brute-force attacks!

 

In a brute-force attack, hackers basically try to guess your username and password over and over. And over. And over. They’re hoping that, with enough tries, they’ll find the magic combination. Now I think you’re seeing where hiding the login page comes into it…if you hide your login page, there’s nowhere for hackers to run their brute-force attack.

 

But it’s not just about brute-force attacks. The .htaccess methods that I’ll discuss at the end also protect you from the situation where a hacker actually gets their hands on your username/password from the start.

 

Without Further Ado...

HOW TO HIDE WORDPRESS LOGIN BY IP ADDRESS WITH .HTACCESS

 

Did you know, you can use .htaccess to hide your WordPress login (wp-login.php) page by simply restricting it by IP address. Anyone with an authorized IP address will see your normal WordPress login page, but everyone else will see, Access Denied!!

 

This is a good method if you have a static IP address and not many other people need to access your site. Otherwise, you’re better off going with an .htpasswd approach.

 

To set it up, all you need to do is add the following bit of code to the top of your .htaccess file. Again, you can find your .htaccess file in the root directory of your WordPress site:

 

RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteRule ^(.*)$ - [R=403,L]

 

Just make sure to replace “!^123\.123\.123\.123$” with the numbers of your IP address. You can find your IP address by going here: What is my IP.

 

Need to allow multiple IP addresses access to your site? No problem! Just add a new line for each address. For example, to give a second IP address access, it would look like this:

 

RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteCond %{REMOTE_ADDR} !^223\.223\.223\.223$
RewriteRule ^(.*)$ - [R=403,L]

 

HAH!. Your login page is now hidden from anyone with a non-authorized IP address.