As you may already know, WordPress is the most popular Content Management System (CMS) globally, which has about ninety percent market share of all available CMSes. And because of that, it’s the most targeted CMS by hackers: every day, many WordPress sites get affected by numerous vulnerabilities and get hacked. One of the most popular hacking methods is to guess the site’s admin password on the login page using so-called brute-force attacks.
A brute-force attack is when someone uses trial and error to crack passwords or other credentials to gain unauthorized access to accounts, systems, and networks. Usually, bad people perform such attacks by launching automated bots or directly targeting a specific victim of their choice.
Why You Should Change and Protect Your WordPress Login Page URL
You should change and protect your WordPress login page URL for an apparent reason – to prevent possible hacking attempts. As I already mentioned, WordPress sites constantly get attacked by automated bots day by day, so it’s essential to take action to protect the most sensitive site areas.
If someone gains unauthorized access to your site, you’ll be in bad luck: an evil person may steal your data, take control of your whole website or even delete all your content.
Because bots continuously attack the site’s login page and admin area, you may experience increased bandwidth usage. That’s another reason to consider adding protection.
Below, I will show you how to protect your WordPress login page and whole admin area from public access, so only you and your site members will be able to login into the site.
How to Protect Your WordPress Login Page URL With a Plugin
If you want to take an easy way to protect your site’s login page, you can use a WordPress plugin. The WPS Hide Login plugin is the easiest one, which allows you to change your site’s login page, and block access to wp-login.php and wp-admin directory while not logged in.
To install the plugin, log in to your WordPress dashboard, go to Plugins → Add New, search for WPS Hide Login, then click Install Now and Activate.
After that, head over to Settings → General, and at the bottom of the page, find the WPS Hide Login section. Then, next to Login URL, enter your new login page URL, and next to Redirection URL, you can specify a place where a not-logged-in user will be redirected when he tries to access the wp-login.php page or wp-admin directory.
How to Protect Your WordPress Login Page URL Without a Plugin
Additionally, you can take a more advanced way to protect your site’s login page by blocking all incoming IPs except yours and your team members. If you use the Cloudflare service, check this article to learn how to set it up on your website, and then head over here to learn how to set up the firewall rules to restrict access to sensitive site areas, such as the wp-login.php page and the wp-admin directory. To protect site pages using Cloudflare is very convenient and easy.
If you don’t use Cloudflare, you can restrict access to sensitive site areas by using server-side rules. Here I’ll show you how to do this on the Apache webserver.
To alter Apache configuration, we’ll edit the .htaccess file located in the root directory of your site’s installation. By editing the .htaccess file, we can quickly apply new webserver settings and see changes while your webserver is running. Generally, you can access your WordPress installation files using tools provided by your hosting provider in the control panel or remotely using SSH, FTP, SFTP, and other popular connections.
A popular way to remotely access and edit WordPress files is to use the FileZilla Client: follow the steps below to learn how to install and use it.
First, download FileZilla Client from its official website and install it on your computer. FileZilla is available for Windows, macOS, Linux, and other operating systems. It supports FTP, SFTP, FTPS, and FTPES remote connections.
After installation, open FileZilla and enter your server credentials to connect to it:
- Host: IP address of your server
- Username and Password: credentials of your server account
- Port: a port on which the server listens (if you use SFTP, enter 22, otherwise, you can leave this input field blank)
When connected to the server, you need to navigate to the WordPress installation directory: usually, the default location should be /var/www/html. If you can’t find your WordPress installation, consult your hosting provider.
Find the .htaccess file in the root WordPress installation directory, right-click on it, and select View/Edit. To block access to the wp-login.php file and wp-admin directory for all users except you, paste the following snippet into your .htaccess file, and replace !^123\.123\.123\.121$ with your IP address (keep all special characters between numbers).
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>
You can add as many IP addresses as you want – just add new additional RewriteCond %{REMOTE_ADDR} lines with other IP addresses. If you have changed your login page URL, replace ^(.*)?wp-login\.php(.*)$ to your previously defined login page URL (keep all special characters).
After saving changes, only users whose IP addresses are whitelisted in the .htaccess file will be able to access the wp-login.php page and wp-admin directory (all other IPs will be blocked and presented with the 403 error page).