Protect WordPress from unauthorized login attempts to wp-admin and wp-login

Two months ago, I switched some of my websites to several new web hosting providers, and noticed that after a while, websites hosted with one particular provider were having problems with the wp-admin login page. It gave a Http 500 Internal Server Error. Other websites hosted with other providers remain working.

Here is the code I used in .htaccess in wp-admin directory:

<LIMIT GET>
order deny,allow
deny from all
# whitelist this IP address
allow from xxx.xxx.xxx.xxx
</LIMIT>

To make things working again, the provider suggests putting the following code at the beginning of the .htaccess file in your domain root folder:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^xxx\.xxx\.xxx\.xxx$
RewriteRule ^(.*)$ – [R=403,L]
</IfModule>

Replace xxx.xxx.xxx.xxx with your computer IP address. Now things start working again. If you want to check if it works, change your IP and try to access the wp-admin login page, you will get a Http 403 Forbidden Error.

Posted in: WordPress

Leave a Comment

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.