3 Ways To Limit Access To wp-login.php by IP

Your WordPress login page is quite attractive to hackers. If they somehow get through your defenses through brute force attacks, you are in trouble. I know many WordPress users that do not take time to protect their wp-login.php file on their website. Here are 3 simple ways to do that:

Limit Login Attempts Plugins: these plugins limit the number of times someone can get username/password pair wrong. It alerts you when your site is under attack and bans abusive IPs.

Use .htaccess: if you are using Apache as your main web server, you could use your .htaccess file to harden WordPress. The above code snippet protects your wp-login.php file by IP. You should add the above code to your root directory / .htaccess file. Make sure to test it out to see if it works as it should.

Use Nginx: many top WordPress blogs use Nginx as their web server. That means you won’t be able to use the mentioned .htaccess code to protect your login page. The good news is the job is still easy to do. I would add the above code to my vhost configuration files or WordPress.conf (depending on how you have setup Nginx).

These won’t make your website hack-proof but they do keep brute force attackers from messing with your wp-login.php page. You could and should implement this for your wp-admin directory too.

Any questions or problems? Please add them below.