WordPress – How to use htaccess to protect the wp-admin directory

As a WordPress administrator one of the simplest things you can do to protect your website is to lock down the ‘wp-admin’ directory – to reject all access except from you.

This can be done quite easily using .htaccess. If you’re unfamiliar with .htaccess – it’s a file which can be placed in any directory and will tell your apache web server (assuming that’s what you’re using, but it is the most common type) what to do with the content, such as who can access it.

To do this you will need access to the folders and files on your server, for example using your cpanel or FTP access.

  1. The first step is to know your IP ranage, quickest way is to either Google what is my IP or go to www.whatismyip.com. This will tell you what your public IP address is – the address your network uses to connect to the Internet – and what the WordPress installation see’s when you log in.
  2. In this example I will pretend my IP address 192.168.0.1
  3. The next step is to create a blank text file, and to call it .htaccess – that is, dot htaccess with no spaces.
  4. Open the file, and add the following content:
<Limit GET POST>
 order deny,allow
 deny from all
 allow from 192.168.0.
 </Limit>

This does two things – tells apache to DENY first, then ALLOW as you define, as well as the IP address range that is allowed.

Notice that the last digit is left off – that is because on my network I will always be in that range, you may choose to make it less detailed, such as 192.168. (with the dot at the end). Or you may want to add to the list for each range you use.

You may also need to add to this list for other networks you use, such as your home and work network. This is done by adding another line, for example

allow from 10.0.0.

Save your changes and add the file to the /administrator folder. Make sure the file is called .htaccess. The folder will look like this:

WordPress-htaccess1

Now when ever someone tries to access the wp-admin page they will receive the following error message – and will not be able to brute force your admin console!

WordPress-htaccess2