Protecting WordPress admin area

Mar 19, 2009

In my WordPress admin I saw that Sergej Müller and Alex Frison had written an article about protecting WordPress admin area in which they linked to my htpasswd generator. I have only skimmed through the article, but they give some good suggestions on how to protect your WordPress admin from unwanted intruders such as hackers. My own simple approach is to only allow known IPs to access the wp-admin directory. Here is how I do it with .htaccess:

Order Deny,Allow
Deny from all
allow from 80.80.80.80

Just change “80.80.80.80” to your IP. You can find your IP on my browser check page, just look for “Remote Address”.  You can ofcourse add another “allow line” to above code, if you want to use the WordPress admin from multiple computers.

by | Categories: htaccess, Wordpress | Tagged: |

6 Responses so far | Have Your Say!

  1. PiterKokoniz
    April 8th, 2009 at 17:39 #

    Hi !! 🙂
    My name is Piter Kokoniz. Just want to tell, that your blog is really cool
    And want to ask you: will you continue to post in this blog in future?
    Sorry for my bad english:)
    Tnx!
    Your Piter

  2. Andreas
    April 8th, 2009 at 18:26 #

    Yeah, of course I will 🙂 When I write a new htaccess article or add a new generator I will make a blog post about it.

  3. Brendan
    July 28th, 2009 at 11:30 #

    Hi Sorry to put this here but your article: http://www.htaccesstools.com/articles/htaccess-redirect/ has a redirect loop in it
    the section:
    RewriteEngine on
    RewriteCond %{HTTP_HOST} mydomain.com [NC]
    RewriteRule ^(.*)$ http://www.mydomain.com/$1 [R=301,L]

    should be

    RewriteEngine on
    RewriteCond %{HTTP_HOST} ^mydomain.com$ [NC]
    RewriteRule ^(.*)$ http://www.mydomain.com/$1 [R=301,L]

    otherwise %{HTTP_HOST} mydomain.com [NC] will match on both the www. and the non www.

  4. Brie
    March 31st, 2010 at 10:05 #

    Since I’ve discovered the command line tool ‘htpasswd’, I’ve stuck with that and never gone back. For people who work largely or exclusively via SSH, it’s a no-brainer!


    Brie

  5. Crack
    October 31st, 2011 at 17:41 #

    I’ll use my IP adress to protect my admin dir but i have a dynamic IP adress.

    Without any tests;

    Order Deny,Allow
    Deny from all
    allow from 80.80.*.*

    This could work or? What do you think – do you habe any ideas?

  6. any260290
    January 8th, 2016 at 23:55 #

    With the recent brute force attacks against WordPress, here s a quick tip to add an additional layer of security to your WordPress admin pages.

Leave a Feedback

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>