Protect WordPress from unauthorized login attempts to wp-admin and wp-login

August 18, 2015 WordPress

Two months ago, I switched some of my websites to several new web hosting providers, and noticed that after a while, websites hosted with one particular provider were having problems with the wp-admin login page. It gave a Http 500 Internal Server Error. Other websites hosted with other providers remain working.

Here is the code I used in .htaccess in wp-admin directory:

<LIMIT GET>
order deny,allow
deny from all
# whitelist this IP address
allow from xxx.xxx.xxx.xxx
</LIMIT>

To make things working again, the provider suggests putting the following code at the beginning of the .htaccess file in your domain root folder:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^xxx\.xxx\.xxx\.xxx$
RewriteRule ^(.*)$ – [R=403,L]
</IfModule>

Replace xxx.xxx.xxx.xxx with your computer IP address. Now things start working again. If you want to check if it works, change your IP and try to access the wp-admin login page, you will get a Http 403 Forbidden Error.