How to protect wp-admin directory using htaccess

If pretty sure most of you who use Wordpress knows that there are 1 important directory and 1 important files that can be accessed by anyone (assuming that you don’t have any plugins that record, disallow them from being accessed) called wp-admin and wp-login.php. And if you’ve been wondering on how to prevent / restrict access to that directory to yourself only, perhaps this simple guide can help you with that

Here’s the code that you should be copy paste to your root .htaccess file (where wp-login.php exist). And also as a note, i didn’t put any IfModule check here, so if you get 500 Internal Server Error after putting below code to your .htaccess file that means your hosting doesn’t allow you to use mod_rewrite. But if you’re able to use custom permalink on your Wordpress site, that means mod_rewrite is enabled so you can use below code without problem ALSO this is designed for one man site only (in other words you block access from everyone else other than you to your Wordpress dashboard), so make sure to adjust it accordingly if you allowed anyone else

# Redirect wp-admin and wp-login to specified address if not from specific ip
# Btw you're free to add additional directory as you see fit
# Note: This'll break your site if you have plugins/themes that depend on accessing admin-ajax.php
RewriteCond %{REQUEST_URI} wp-login|wp-admin
RewriteCond %{REMOTE_ADDR} !^123.456.789.
RewriteRule . [R,L]

# Or .. if you prefer to return 404 Not found instead of redirecting it, use below code instead
RewriteCond %{REQUEST_URI} wp-login.php|wp-admin
RewriteCond %{REMOTE_ADDR} !^123.456.789.
RewriteRule . - [R=404,L]

As an added bonus, because most webhosting enable autoindex by default (that can allow other to browse your directory structure if you don’t have index file defined), i’d suggest you to add below code to your .htaccess too

Options -Indexes

Leave a comment


  1. Alexandria Apr 15, 2014 at 4:20 PM

    I am actually pleased to read this webpage posts which carries lots of valuable facts, thanks for providing these statistics.

  2. strength workout routines Sep 9, 2013 at 5:09 PM

    Hello There. I found your weblog the usage of msn.
    This is an extremely smartly written article. I will be sure to bookmark it and come back to read extra of your useful information.
    Thanks for the post. I’ll definitely return.

  3. branchenbuch Oct 23, 2010 at 2:33 PM

    Hello. Great job. I did not expect this on a Wednesday. This is a great story. Thanks!

  4. TheahdimeLome Aug 16, 2010 at 9:54 AM

    i’m new… hope to brief nearly more regularly!

  5. John Apr 30, 2009 at 8:35 AM

    If you have 2 or more people authoring the blog in multiple IPs, for tip #3 above, you can add multiple IPs with the htacess OR operator, for example:

    RewriteCond %{REMOTE_ADDR} !^70\.30\.200\.40|

  6. mikle Aug 26, 2008 at 7:50 PM

  7. Martin Ankerl Jan 25, 2008 at 12:09 AM

    Thanks a lot! My wordpress was recently hacked, now I have upgraded to the latest release and done all your suggestions. I hope this helps

  8. Reaper-XReaper-X Sep 5, 2007 at 2:58 PM

  9. Jonathan Sep 5, 2007 at 3:24 AM

    Nice! A lot of useful tips here. And thanks for the link to the AskApache plugin.


  1. THE Ultimate Htaccess
  2. 'How To Guide' for securing WordPress and protecting websites. | MileHighTechGuy > Productivity Tools & Technology
  3. 26个用于Wordpress的 .htaccess 规则 - 候鸟博客
  4. New Plugin: Integrity for WordPress ↔ BraveNewCode Inc.
  5. ‘How To Guide’ for securing WordPress and protecting websites. | MileHighTechGuy
  6. How to Improve WordPress Security | Interconnect IT - WordPress Consultants, Web Development and Web Design
  7. A to Z of WordPress .htaccess Hacks |
  8. Ultimate .htaccess file Examples
  9. Installing a LAMP Server, with Wordpress, on Slicehost (and maybe elsewhere) « A Life of Constant Flux
  10. Installing a LAMP Server on Slicehost (and maybe elsewhere) « A Life of Constant Flux
  11. Reading list, Virtual online worlds and MMOGs
  12. My favorite WordPress Resources |

To reduce spam, if you're posting comment for the first time, it'll be moderated first. And if they aren't spam, subsequent comments will appear automatically. Also you may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>