How to protect wp-admin directory using htaccess

If pretty sure most of you who use WordPress knows that there are 1 important directory and 1 important files that can be accessed by anyone (assuming that you don’t have any plugins that record, disallow them from being accessed) called wp-admin and wp-login.php. And if you’ve been wondering on how to prevent / restrict access to that directory to yourself only, perhaps this simple guide can help you with that

Here’s the code that you should be copy paste to your root .htaccess file (where wp-login.php exist). And also as a note, i didn’t put any IfModule check here, so if you get 500 Internal Server Error after putting below code to your .htaccess file that means your hosting doesn’t allow you to use mod_rewrite. But if you’re able to use custom permalink on your WordPress site, that means mod_rewrite is enabled so you can use below code without problem ALSO this is designed for one man site only (in other words you block access from everyone else other than you to your WordPress dashboard), so make sure to adjust it accordingly if you allowed anyone else

# Redirect wp-admin and wp-login to specified address if not from specific ip
# Btw you're free to add additional directory as you see fit
# Note: This'll break your site if you have plugins/themes that depend on accessing admin-ajax.php
RewriteCond %{REQUEST_URI} wp-login|wp-admin
RewriteCond %{REMOTE_ADDR} !^123.456.789.
RewriteRule . [R,L]

# Or .. if you prefer to return 404 Not found instead of redirecting it, use below code instead
RewriteCond %{REQUEST_URI} wp-login.php|wp-admin
RewriteCond %{REMOTE_ADDR} !^123.456.789.
RewriteRule . - [R=404,L]

As an added bonus, because most webhosting enable autoindex by default (that can allow other to browse your directory structure if you don’t have index file defined), i’d suggest you to add below code to your .htaccess too

Options -Indexes


Note: Comment may not appear right away.

21 thoughts on “How to protect wp-admin directory using htaccess

  1. I am actually pleased to read this webpage posts which carries lots of valuable facts, thanks for providing these statistics.

  2. Hello There. I found your weblog the usage of msn.
    This is an extremely smartly written article. I will be sure to bookmark it and come back to read extra of your useful information.
    Thanks for the post. I’ll definitely return.

  3. If you have 2 or more people authoring the blog in multiple IPs, for tip #3 above, you can add multiple IPs with the htacess OR operator, for example:

    RewriteCond %{REMOTE_ADDR} !^70\.30\.200\.40|

  4. Thanks a lot! My wordpress was recently hacked, now I have upgraded to the latest release and done all your suggestions. I hope this helps