---
title: "Locking WordPress Admin Login with .htaccess Rules"
description: "If you are a website administrator, security should be at the top of your list. That's why your first step should be to work with InMotion's WordPress Hosting team to get your website up and running...."
url: https://www.inmotionhosting.com/support/edu/wordpress/lock-down-wordpress-admin-login-with-htaccess/
date: 2022-07-12
modified: 2024-09-11
author: "InMotion Hosting Contributor"
categories: ["WordPress Tutorials"]
type: post
lang: en
---

# Locking WordPress Admin Login with .htaccess Rules

If you are a website administrator, security should be at the top of your list. That's why your first step should be to work with InMotion's [WordPress Hosting](https://www.inmotionhosting.com/wordpress-hosting) team to get your website up and running. After that, you can **lock** down the **WordPress admin login** with some **.htaccess** rules to prevent unauthorized login attempts.

## How to Locate Your .htaccess File in cPanel's File Manager

This guide will show how you to limit WordPress admin login attempts by IP address, or referrer. Below we'll show you, how to get to your **.htaccess** file, and what edits to make, to limit WordPress admin logins. But first, we'll show you how to find your .htaccess file in the cPanel File Manager.

1. [Log into your cPanel](https://www.inmotionhosting.com/support/edu/cpanel/how-to-log-into-cpanel/).
2. Find the **Files **category and click on the **File Manager** icon.![cPanel](https://www.inmotionhosting.com/support/wp-content/uploads/2012/07/cmPape_01.png)
3. Click **Settings** at the top right corner.![cPanel](https://www.inmotionhosting.com/support/wp-content/uploads/2013/04/PL_fix_Selection_03.png)
4. Select the **Document Root** for your domain and check the box next to **Show Hidden Files**. Click **Save**.![file manager show hidden](https://www.inmotionhosting.com/support/wp-content/uploads/2012/07/PL_fix_Selection_02.png)
5. Right-click the *.htaccess* file and select the **Edit **option.![file manager htaccess](https://www.inmotionhosting.com/support/wp-content/uploads/2012/07/PL_fix_Selection_04.png)
6. If you have a text editor encoding dialog box pop up, simply click **Edit**.

## How to Restrict WordPress Admin Access

The following rules should be placed at the very top of your **.htaccess** file.

- [Secondary WordPress admin .htaccess password](https://www.inmotionhosting.com/support/edu/wordpress/prevent-unauthorized-wp-admin-wp-login-php-attempts/) (Recommended if your IP changes)
- [A Single IP Address](#single-ip)
- [Multiple IP Addresses](#multiple-ips)
- [Dynamic IP Address Access](#dynamic-ip)

## Single IP Address Access

You can [check your IP](https://support.inmotionhosting.com/ipcheck.php) to get your computer's IP address.

If you are using CloudFlare or a DNS level filtering service, this method won't work, you'll want to [setup a secondary WordPress .htaccess password](https://www.inmotionhosting.com/support/edu/wordpress/prevent-unauthorized-wp-admin-wp-login-php-attempts/) for protection instead.

To allow access from a single IP address, replace **123.123.123.123** with your own IP address:

RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login.php(.*)$
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^**123.123.123.123**$
RewriteRule ^(.*)$ –

## Multiple IP Address Access

 You can [check your IP](https://support.inmotionhosting.com/ipcheck.php) to get your computer's IP address.

If you are using CloudFlare or a DNS level filtering service, this method won't work, you'll want to [setup a secondary WordPress .htaccess password](/support/edu/wordpress/prevent-unauthorized-wp-admin-wp-login-php-attempts/) for protection instead.

To allow access from multiple IP addresses, replace **123.123.123.xxx** with your own IP addresses:

RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login.php(.*)$
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^**123.123.123.121**$
RewriteCond %{REMOTE_ADDR} !^**123.123.123.122**$
RewriteCond %{REMOTE_ADDR} !^**123.123.123.123**$
RewriteRule ^(.*)$ -

## Dynamic IP Address Access, Limit by Referrer

If your IP address changes, you can protect your WordPress site by only allowing login requests that come directly from your domain name. Simply replace **example.com** with your own domain name Most brute force attacks rely on sending direct **POST** requests right to your **wp-login.php** script. So requiring a **POST** request to have your domain as the referrer can help weed out bots.

RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^https://(.*)?**example.com**
RewriteCond %{REQUEST_URI} ^(.*)?wp-login.php(.*)$
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ -

Wait at least 15-20 minutes, and try to log into your WordPress site again. If you try to access the WordPress dashboard within the 15 minute window of a block, this could extend the block longer.

It's important to wait for the previous block to expire and be patient before attempting to access your WordPress site again. You should now be blocking unauthorized WordPress admin login attempts utilizing .htaccess rules.
