Locking WordPress Admin Login with .htaccess Rules

If you are a website administrator, security should be at the top of your list. That’s why your first step should be to work with Inmotion’s WordPress Hosting team to get your website up and running. After that, you can lock down the WordPress admin login with some .htaccess rules to prevent unauthorized login attempts.

Limit WordPress admin login attempts

This guide will show how you to limit WordPress admin login attempts by IP address, or referrer. Below we’ll show you, how to get to your .htaccess file, and what edits to make, to limit WordPress admin logins.

  1. Log into your cPanel.
  2. Find the Files category and click on the File Manager icon.
  3. Click Settings at the top right corner.
  4. Select the Document Root for your domain and check the box next to Show Hidden Files. Click Save.
    file manager show hidden
  5. Right-click the .htaccess file and select the Edit option.
    file manager htaccess
  6. If you have a text editor encoding dialog box pop up, simply click Edit.
The following rules should be placed at the very top of your .htaccess file.

How to restrict WordPress admin access

Secondary WordPress admin .htaccess password (Recommended if your IP changes)

A single IP address

Multiple IP addresses

Trusted referrers

Single IP address access

You can check your IP to get your computer’s IP address.

If you are using CloudFlare or a DNS level filtering service, this method won’t work, you’ll want to setup a secondary WordPress .htaccess password for protection instead.

To allow access from a single IP address, replace with your own IP address:

RewriteEngine on 
RewriteCond %{REQUEST_URI} ^(.*)?wp-login.php(.*)$ [OR] 
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$ 
RewriteCond %{REMOTE_ADDR} !^$ RewriteRule ^(.*)$ – [R=403,L]

Multiple IP address access

  You can check your IP to get your computer’s IP address.

If you are using CloudFlare or a DNS level filtering service, this method won’t work, you’ll want to setup a secondary WordPress .htaccess password for protection instead.

To allow access from multiple IP addresses, replace 123.123.123.xxx with your own IP addresses:

RewriteEngine on 
RewriteCond %{REQUEST_URI} ^(.*)?wp-login.php(.*)$ [OR] 
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$ 
RewriteCond %{REMOTE_ADDR} !^$ 
RewriteCond %{REMOTE_ADDR} !^$ 
RewriteCond %{REMOTE_ADDR} !^$ 
RewriteRule ^(.*)$ - [R=403,L]

Dynamic IP address access, limit by referrer

If your IP address changes, you can protect your WordPress site by only allowing login requests that come directly from your domain name. Simply replace example.com with your own domain name Most brute force attacks rely on sending direct POST requests right to your wp-login.php script. So requiring a POST request to have your domain as the referrer can help weed out bots.

RewriteEngine on 
RewriteCond %{HTTP_REFERER} !^https://(.*)?example.com [NC] 
RewriteCond %{REQUEST_URI} ^(.*)?wp-login.php(.*)$ [OR] 
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$ RewriteRule ^(.*)$ - [F]

Wait at least 15-20 minutes, and try to log into your WordPress site again. If you try to access the WordPress dashboard within the 15 minute window of a block, this could extend the block longer.

It’s important to wait for the previous block to expire and be patient before attempting to access your WordPress site again. You should now be blocking unauthorized WordPress admin login attempts utilizing .htaccess rules.

InMotion Hosting Contributor
InMotion Hosting Contributor Content Writer

InMotion Hosting contributors are highly knowledgeable individuals who create relevant content on new trends and troubleshooting techniques to help you achieve your online goals!

More Articles by InMotion Hosting

120 thoughts on “Locking WordPress Admin Login with .htaccess Rules

  1. I already have some code from wordpress itself in my public_html/.htaccess file.

    Hackers can still getting to wp-login.php once, after which they are blocked by the htaccess rule. Could it be due to having two instances of <IfModule mod_rewrite.c> and RewriteEngine On .  Should they be merged?

    I removed the wp-admin rule becuase it conflicted with the wp-statistics plugin.

    At the moment I have: 



    <IfModule mod_rewrite.c>

    RewriteEngine on

    RewriteCond %{REQUEST_METHOD} POST

    RewriteCond %{HTTP_REFERER} !^https://(.*)?my-domain\.com/(.*) [NC]

    RewriteCond %{REQUEST_URI} ^/wp-login\.php(.*)$

    RewriteRule ^(.*)$ – [F]





    # BEGIN WordPress

    <IfModule mod_rewrite.c>

    RewriteEngine On

    RewriteBase /

    RewriteRule ^index\.php$ – [L]

    RewriteCond %{REQUEST_FILENAME} !-f

    RewriteCond %{REQUEST_FILENAME} !-d

    RewriteRule . /index.php [L]


    # END WordPress

  2. I like this solution and it has helped my issues but the people I ask to provide their IP addresses so I can grant them access keep getting the IPV6 version…this only works with IPV4 addresses. I’ve noted the trend is hard towards the IPV6 and it’s getting hard to find your IPV4 address sometimes. Is there anyway to make it work with both…or even switch this solution to all IPV6?

    1. Hello David,

      Thanks for the question about using IPV6. Currently, most networks are still using IPV4, so you may want to stick with using the solution using that version. The use of IPV6 would require a code to change to the IP address format as well as the command. Please see this forum post. It discuss the command to use IPV6. Remember that anytime you create rule/condition that it operates from top to bottom.

      If you have any further questions or comments, please let us know.

      Arnel C.

  3. Hi,

    I am impressed how helpful you are. I also run a blog, so I also try to be helpful for my readers . 😉

    I changed the URL of my login page. Now I want to ban immediately for 2 hours every user who enters the URL “…/wp-login.php”  or “/wp-admin”. It would save a ton of CPU of my server! How to do this on the server side (I don’t want bots to hit my WordPress)?

    1. Simon, that’s a great idea! This would basically turn the default login page into a ‘honeypot‘ for malicious visitors or scripts. For a server-side option, if you have root level access to your server, and you have CSF installed you could write a simple script to trigger a CSF command like csf -td $IP 7200. If you’d like a plugin to do so, I recommend reviewing the options in the Wordfence security plugin for WordPress. However, the CSF option would have the advantage of being CMS agnostic, but the disadvantage of requiring root level access on the server, which isn’t always an option.

  4. Hi, i want to change https://mysite.com/wp-admin and https://mysite.com/wp-login.php to https://mysite.com/customname

    please help

    Plugins are not working for me.


  5. Hello,

    I must have a bot trying to access my site today, but I also tend to get sporadic login attempts that might be real people using the login page. Can I combine the “limit by referrer” and “single IP address access” methods so that bots AND people other than myself are blocked? I’ve tried the methods listed here and every time I hit “save” I get another lockout notification. The only thing I’ve found that stops them is this script I found on another site:

    # Block access to wp-admin.
    order deny,allow
    allow from
    deny from all

    Unfortunately, it completely disables my website – not just the login page. I’ve left that in the .htaccess file for now until I can find a solution. Please help! The website is chandlercommunications.com. Thanks!

  6. Hello,

    Can I re-write the below code that if users dont have access swould be sent to particular page and not to 403 page?


    <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
    RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.121$
    RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.122$
    RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
    RewriteRule ^(.*)$ - [R=403,L]


    1. Hello,

      For the last line of the rewrite you should be able to use something like this.

      RewriteRule ^(.*)$ https://www.example.com/$1 [L,R=301,NC]

      Best Regards,
      TJ Edens

  7. I’ve used this code which i have found on other posts but it doesn’t work, when i add with my ip it appears to work, what i mean by this is if i don’t include my ip range it blocks access, Great however i am still getting hacking attempts which indicates it doesn’t work. 

    1. Hello Alan,

      Thank you for contacting us. I recommend reviewing any other rules in your .htaccess file, to ensure they are not interfering with these ones.

      Also, keep in mind this rule will block access, but the hack attempts may still continue. It really depends on the nature of the attack. How are you viewing the hack attempts?

      Thank you,

    1. Hello Alireza,

      In the case of needing a range or a large number of specific IPs, you would want to go with the ‘limit by referer’ option.

      Kindest Regards,
      Scott M

    2. This is not working. Well, let me rephrase that… it works, but the hackers are getting around it.
      I added this code to my .htaccess file:

      RewriteEngine on
      RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
      RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
      RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
      RewriteRule ^(.*)$ – [R=403,L]

      Obviously, replacing the with my IP address. IT WORKS!

      I tested to make sure it was block other IP address by changing it to an IP that is not mine. IT WORKS!

      I block me from admin login.

      Why are the hackers still getting through????

      I keep getting these emails from WP Limit Login
      4 failed login attempts (1 lockout(s)) from IP:
      Last user attempted: admin
      IP was blocked for 15 minutes

    3. Ok, I looked up the files these IP’s are accessing…. how they are getting to wp-login from this file I have no clue. The file is:

      I put the follow at the top of my .htaccess file:

      Order allow,deny
      Deny from all

      lets see if this stops it.

  8. Thank you so much. That worked.

    It’s official, you are definitely smarter than my current host. Maybe I should start to consider my options…

    1. Hello Ted,

      You are correct, technically they can hit that file and get a 200 response code. The first example below will block any request with a url that ends with wp-admin (in regex $ means ends with).

      RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$

      However if you changed it to what is below it will block any request that has wp-admin in the url:

      RewriteCond %{REQUEST_URI} ^(.*)?wp-admin*

      Best Regards,
      TJ Edens

  9. Hi,

    I have used your example code:

    <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
    RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
    RewriteRule ^(.*)$ - [R=403,L]

    and it seems to almost work on my enviroment.

    It blocks access to wp-login okay, but why am I seeing ‘success 200’ notifications on my logs, when someone tries to access admin-ajax.php? Shouldn’t that be blocked too?

    Here’s a sample of my log. - - [03/Aug/2015:01:31:17 +0300] "POST //wp-admin/admin-ajax.php HTTP/1.1" 200 1 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko)"

    Am I missing/misunderstanding something?


  10. Hi. I tried what the code said and it did not work it just blocked me out saying 505 error. Me and a friend keep getting locked out all the time and we cant make this site. Can you please help? This is getting beyond a joke and we would like to make our site


    1. Hello Patric,

      This works for most people. If you are still having issues, you may want to contact Live Support so that they can help you with anything else that may be specific to your account.

      Kindest Regards,
      Scott M

  11. First let me start by thanking you for your great post. Now, my to my situation.

    I have a bit of a complex environment. In its simplest form, I have two file servers connected to the same DB server. Lets call them FS1 and FS2. Both FS1 and FS2 are mirrors to each other except their .htaccess files. Both file servers have their own unique URL, something that looks like this: fs1.somesomedomain.somedomain.com and fs2.somesubdomain.somedomain.com

    When you go to my domain, for example, to www.mydomain.com, it will redirect to FS1. Which will take you to the fron end to my WordPress site. If you want to go to the  backend, then I will go to the FS2 domain directly. I am the only one accessing the backend.

    Now, I would like to completely restrict access to the backend in FS1. How do I do that? Do I restrict access to wp-login and wp-admin? What about the .htaccess file, what rwx restrictions does it have?

    1. Hello Bob,

      Are you able to set an htaccess file on the back end server and limit it to your specific IP?

      Kindest Regards,
      Scott M

  12. I have my .htaccess file and would lik for someone to look at it and see how I can go about locking it down. I currently have installed Bulletproof Security which I thought already covered this but maybe not. Please advise on how to attach it here if possible.

    1. Hello Jeremy,

      Thank you for contacting us here in the public forums. The above guide explains how to successfully lock down your .htaccess file, and provides specific examples. But this is not necessary if you are using a Bulletproof security.

      The BulletProof Security plugin secures your .htaccess and other files in your WordPress site. Here is a link to our walk-through guide on the WordPress BulletProof Security plugin configuration.

      Thank you,

  13. I live chatted with your support today and could not get the answer to this….

    I have a 2nd domain under my hosting accnt with WPress installed in that subdomain.  I have a htaccess file with just MY ip and IMH ip in there which is located on my ROOT dir, which SHOULD protect my whole site and sub domain… right ?  I created a new user with user/pass for another person who is helping with the subdomain design.  THEIR ip is NOT in the htaccess file but they are still able to log into the subdomain’s WPress admin, when I thought the htaccess would prevent them from doing that UNTIL I added their ip to my htaccess.  They can log in fine with being in the ip list so I am losing all confidence in this htaccess ip restriction thing since its not working !!

    What is going on to let someone inside that is NOT on the ip htaccess file ?  Even if they have a good user/pass they still should NOT be able to log in.



    1. Hello Paul,

      Thank you for contacting us. We are happy to help, but we will have to see your .htaccess code to help troubleshoot further.

      Please provide the content of your .htaccess code, so we can help narrow down the cause.

      Thank you,

  14. Hi Arn.

    I tested the two  lines of your code which test the URI, separately (I commented one line while testing the other), and I realized that one of them is ineffective: the line which tests the presence of wp-admin folder on the URI.

    If I type https://localhost/wp-admin in my browser, I will receive an “access denied” message. But, if I type https://localhost/wp-admin/ (note the slash at the end), I will gain access to the wordpress login page.
    This problem can be corrected if you change this line of code as follows:

    RewriteCond %{REQUEST_URI} ^(.*)?wp-admin(.*)$

    Note: as an URI with wp-admin is automatically redirected to an URI with wp-login.php, the ineffectiveness of this line of code does not imply in any security flaw in your code: it is just a question of performance (the user will not need to be redirected to an URI with wp-login.php to be blocked).


  15. Hi there. I’m going to attempt the single IP access. However, I have a question regarding stats. Using these blocking methods, when my site gets hammered by attempts, will these show in awstats or other stats? As in, will I start seeing massive amounts of 404 page errors, etc? I am hoping to have a clean solution, but it’s not clear to me what happens to the www.mysite.com/wp-login.php requests after I prevent all IP addresses other than my own. I would great appreciate insight into what happens with stats, after this solution is implemented. Thank you.

    1. Hello Douglas,

      Thanks for the question. This security option will not affect your stats as the stats are generally for successful connections to your website – not for attempts.

      I hope this helps to answer your question, please let us know if you require any further assistance.

      Arnel C.

  16. I have inserted the “Single IP” code in htaccess on multiple occasions. The login works during this first session. Then when I go out to the worpress site, any pages except the home page are returned with 404 error codes and cannot be accessed. If I go to the “Permalinks” and resave the settings using %postname%, these pages come back active and accessible. But, then I go back and check the code in my htaccess file and it has automatically returned to the standard WP settings. My limiting code to only allow my IP Address is gone.

    Is there some special place in the coding, this needs to be installed?  I read in a forum that anything between the #Begin WordPress and #End WordPress will be automatically changed by WordPress, which is reflected with my problem. 

    I also see a future problem in that we are going to have a newsletter and vendors pages which will require selected visitors to be able to have a username that allows them to visit protected pages. I keep reading this cannot be done if I protect the login and admin using the process you have listed above.

    This is becoming a real pain in the butt with all of the attempted attacks every friggin day on WordPress sites. Insanity. I am hoping there is some simple solution to these issues?  My goal is to stop the hackers from gaining access to any of the files on the server in a WordPress site, especially the login and admin files. But also allow real visitors, customers and clients to be able to access protected pages.



    1. Hello DG,

      When you insert the single IP code, it should NOT be in the WordPress. As you have noted, it will automatically be removed. Add the code before the #Begin portion of the WordPress.

      I also see a future problem in that we are going to have a newsletter and vendors pages which will require selected visitors to be able to have a username that allows them to visit protected pages. I keep reading this cannot be done if I protect the login and admin using the process you have listed above.

      The login protection is FOR the Administrator login. If you have a newsletter and vendors pages, they shouldn’t require an Admin login. If so, then you can use a different method for limiting who can have access if necessary. There are several other methods provided above.

      I hope this helps to answer your question, please let us know if you require any further assistance.

      Arnel C.

  17. Hi,

    Im facing lots os spammy referal traffic on my wordpress website detected by Analytic Tools. Spammy websites are as:


    Now wanted to prevent these type of spammy referal traffic but don’t know how to do. Read some where that can be prevented through htaccess but the structure of wordpress htaccess is different and when trying, it cause problem on website sometimes 500 internal services error sometime some other.

    Please help me if any one have solution.

    Herein the Website – https://www.*******.com/


    1. Hello Spar,

      Thank you for your question. Please see our guide on how to Block unwanted users from your site using .htaccess.

      You will have to review the existing rules in your .htaccess file to ensure they are not interfering with the codes you are adding. A good developer should be able to assist you with this.

      If the traffic is originating from spammy backlinks, you can use Google’s Disavow tool to have them ignore certain links.

      If you have any further questions, feel free to post them below.

      Thank you,

  18. Actually, you need to be a little precise when defining WordPress being in a folder.

    There’s xyz.com/some-folder-name where WordPress completely resides in that folder and is independent of whatever is going on in the root of the site. i.e. The path to WordPress would be xyz.com/some-folder-name/index.php. For that, what Scott mentions is correct.

    Then there is what’s commonly called “WordPress in a folder”. In this instance, like the previous example, all of the WordPress files are installed in the folder e.g. xyz.com/some-folder-name. However, in this case WordPress is configured so that the index.php and the .htaccess files for the site have been copied from the folder and reside in the root of the site. In this case the path to WordPress would be xyz.com/index.php.

    In this case, the place to tweak the .htaccess file would be xyz.com/.htaccess, rather than xyz.com/some-folder-name/.htaccess.

    More about this can be found at https://codex.wordpress.org/Giving_WordPress_Its_Own_Directory

  19. How would I use the first choice “Single IP address access ” to allow a range of IP addresses? I’ve tried the CIDR xxx\.xxx\.xxx\.xxx\/xx and that doesn’t work. Nor does xxx\.xxx\.

    How can I allow a range?

    1. Hello Ken,

      In the case of needing a range or a large number of specific IPs, you would want to go with the ‘limit by referer‘ option.

      Kindest Regards,
      Scott M

    2. I am not sure if I need to alter the .htaccess file which is inside the ‘wordpress’ folder for my site, or if I need to create one at the top level of the domain?

      Can you advise please?

    3. Hello Robcnz,

      If the WordPress is installed at the domain level then you would alter that one. If you have it installed in a subfolder, such as example.com/wordpress, then you would create/alter the .htaccess file in the wordpress folder.

      Kindest Regards,
      Scott M

  20. Hi, Ive been using your referrer code method to prevent remote attampts to login successfully for some time now – with a focus on one of my accounts add on domains. In the past month however it doesnt seem to be working.  Today I’ve tried the limit IP address login as a test and it too doesnt seem to be working – loaded the IP address of my office computer and then was able to log in from my cell on diff IP address….  Any thoughts on why neither of these would be function as I would expect or as the prevsious referrer block method did?  thank you.

    1. If you are limiting your login using .htaccess exactly as in this article, only the IP addresses defined should be able to get in. Be sure that your phone is not connected via wifi when testing as it would caused you to have the same public IP as your computer.

    2. thank you very much – resolved on the other thread – caching issue and tested on the wp-admin versus the .com/login page

  21. Why not try a plugin https://www.sourcexpress.com/wp-double-protection/ which can be installed on a wordpress site and instead of taking the risk of changing .htaccess file, we can have an extra layer of protection with these plugins. 

    1. Hello Shannon,

      Thank you for contacting us. When you hit Edit you will then be able to edit/add text to your .htaccess file.

      Then, add the rule you want to use (they are in the black boxes above), and update them as needed. For example you may want to add your IP to the rule, instead of the existing one.

      I hope this helps,

  22. I was having problems with membership levels and thought that it was restrict access pro that was causing the problem so I deleted both plugins and now I cannot access the dashboard nor login in to my website.

    Can you help me?



    1. Hello,

      Unfortunately, your issue is nothing we can identify with the information given. I am unable to see your site or locate an account. Did you remove the plugins via the dashboard or did you delete them in the file structure? What type of errors are you getting when trying to log into the wp-admin?

      Kindest Regards,
      Scott M

    2. After clicking “edit,” I have no idea what this article is talking about. I don’t see something similar on the screen it’s referring to, and I’m so unfamiliar with this type of thing that I’m just totally over my head.

  23. Hi Staff,

    I am attempting to use the trusted referrer option and I am still not able to login.  The site is www.readysetloan.com.  I cannot figure out what I am doing wrong and have been locked out since Thursday.

    Thank you – Eric

    1. The referrer option disallows bots from sending POST requests directly, however, if the brute force attacks are fully hitting your wp-login.php page, this will not work. I recommend allowing by IP if you continue to experience issues. Keep in mind that it can also take about 15 minutes for the block to be lifted after putting the protection in place.

    2. Just a bit more specificity for those unfamiliar with code. I was attempting to block false login attempts on my site from a brute force attack and the file stated to use the IP address at the top of the document — I didn’t know if that meant at the very top of the document or under the comments of the document.

  24. Very frustrated. I’ve done: secondary password protection of the wp-admin directory and referral restrict in htaccess. I don’t have admin as a username, yet still I get locked out constantly; often when in the middle of working on something. The plugin to “hide” the wp-admin directory doens’t work well, but has been tried to see if it would help as well (still got locked out then, too). 

    I’m have a VPS acount. I look at the raw acces logs in cpanel and never see any sort of major attack of wp-login.php. At most there’s 5 or 6 POST attempts and then you block… don’t you think it’s a bit too agressive to be locking out clients when there’s that few attempts? How about giving some leeway, eh? Especially for VPS accounts that are supposed to have dedicated resources so these attacks don’t impact anyone else on a shared server.

  25. Hello, thanks for this article.  I understand that wp-admin is actually a folder in WordPress, so if we add this code, won’t it lock down the whole directory and not just prevent people from accessing the wp-admin login page?

    Thanks in advance for your advice.

    1. The wp-admin directory only contains content that would be accessed on the admin dashboard so it would not affect the main content of your site at all.

  26. That makes sense Jeff, I use WP as content management for this dynamic site so I tried

    https://kissthesky.net/blog/wp-admin        it then redirected to


    and displayed the same message ‘WordPress Login Temporarily Disabled’

    Where to from here?

    1. You need to lock down the blog itself within your .htaccess. So, you will need to place the .htaccess code within the .htaccess file that is located inside the blog directory. After 15 minutes, you will then be able to log in again.

    2. Hello Tony,

      I took a look at your login and it is appearing for me. It may have been blocked temporarily (typically 15 minutes) in order to stop brute force attacks. Make sure to review the article above for more information on how to secure your WordPress login.

      By the way I was using the following URL: https://kissthesky.net/wp-admin

      Make sure to clear your browser cache before trying to login again. Please let us know if you continue to have difficulty logging in.

      Kindest regards,
      Arnel C.

  27. Jeff,

    I was able to edit the file as you suggested but now when I attempt to log in using


    I get the 404 error message.

    1. This is because the website is not created using WordPress, so it will not contain a wp-admin directory.

  28. Hi Tony,

    You might end up with a blank .htaccess file in WordPress if you haven’t yet gone to Settings/Permalinks and set and saved the permalink setting you want to use.

    WordPress doesn’t generate the .htaccess info until you do that. If for some reason WordPress can’t write to the .htaccess file, you should get a notice warning you of that and also the code to copy and paste into your .htaccess file manually.

  29. I have attempted to edit a client’s .htaccess file following instructions and the file is totally blank. There is no code to apply the Trusted Referrers fix to. Client’s url is 


    which is a addon domain to


    Thanks in Advance

    1. To apply this, you will need to copy the entire block of code mentioned into your .htaccess file and adjust it based on their specific information.

  30. Insert at beginning of htaccess file.

    RewriteRule ^login$ https://YOUR_SITE.com/wp-login.php [NC,L]

    Just replace the login keyword with one of your choice and your website’s URL.

    1. Hello Matt,

      Sorry to hear that you’re having problems with the login. Since you did not give us any account information, we could not check into the matter for you. If you want us to investigate, please give us at least a domain name or account user name. If your site is being hit by the brute force attack, then you may not be able to access the admin until you implement one of the suggestions listed above (and then waiting 15 minutes).

      Remember that posts here are public domain. If you would prefer the matter to be handled privately, then please contact our live support team as per the contact information at the bottom of the page.

      Kindest regards,
      Arnel C.

  31. I have a number of WP sites which are in folders in my public_html folder. Each site is also running its WP from a folder. i.e. xyzxyz.com/qrgf/wp-admin/wp-login.php

    I’d like to use the Referrer method above. What’s the best way?

    Also, would it be preferable to put this in the .htaccess file that’s *above* my public_html folder? Could I put the Referrer for *all* of my sites there? (So they’d all be in one place)

    1. You could simply place a single block of code within your .htaccess file in your public_html directory that covers all sites. As long as you don’t have any additional rules in deeper folders that could counteract it, everything can work directly within a single file. It would look something like this:

      RewriteEngine on
      RewriteCond %{REQUEST_METHOD} POST
      RewriteCond %{HTTP_REFERER} !^https://(.*)?example\.com [NC]
      RewriteCond %{HTTP_REFERER} !^https://(.*)?example\.com\/somethingelse [NC]
      RewriteCond %{HTTP_REFERER} !^https://(.*)?example\.com\/anothersite [NC]
      RewriteCond %{HTTP_REFERER} !^https://(.*)?example\.com\/additionalsite [NC]
      RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
      RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
      RewriteRule ^(.*)$ – [F]

      Be sure that you place each site that you are running in here or else you will get access denied errors on them.

  32. I’m using the “Dynamic IP address access, limit by referer” method yet I am still getting block out of admin. This is the exact text in my .htaccess file:


    <IfModule mod_rewrite.c>

    RewriteEngine on

    RewriteCond %{REQUEST_METHOD} POST

    RewriteCond %{HTTP_REFERER} !^https://(.*)?shadeofthebodhitree\.com [NC]

    RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]

    RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$

    RewriteRule ^(.*)$ – [F]



    What am I doing wrong?

    1. This disallows bots from sending direct POST requests to your WordPress admin, but if they are actively visiting your login page, they will still be able to launch brute force attacks. I recommend blocking based on IP, or using a secondary password here if you are still being locked out.

  33. Help I have been locked out of my blog for several days and cannot reach my dashboard to make the changes suggested here.  the site is 


    any help would be appreciated.  It appears I will need some help from the staff

    1. Hello rob,

      Sorry to hear about your troubles. As a test, I was able to access your admin login page using the Single IP method.

      Make sure you are adding the code to your .htaccess file located in the root of your wordpress installation: public_html/president/

      If you have any further questions, feel free to post them below.
      Thank you,


  34. Unfortunately WooCommerce customers need to access wp-admin.php for some reason so an additional username and password won’t work for me. In fact whenever these blocks happed I think my customers are locked out from completing purchases. I guess they’ll just go elsewhere.

    1. Instead of locking down with a secondard password, you could lock down your WordPress admin by referrer (under the heading “Dynamic IP address access, limit by referer”) which would prevent users from directly sending POST requests and allowing your users to still access their accounts.

  35. Your instructions, above, are flawed. 

    They read: 

    To allow access from a single IP address, replace 123\.123\.123\.123 with your own IP address

    But that’s not correct. You can’t simply plug in “your own IP address”—you also have to insert slashes.

    1. Hello Mary,

      It should work in most cases either way you type in your IP address:


      Both methods of typing in an IP address should be valid for an .htaccess file.

      I see from you account notes that you might have also had an extra space throwing the rules off. Thanks for leaving this comment. I’ll see about updating the article to make it a little more clear how to enter in your IP address, but I’m also almost done working on a WordPress plugin that will allow our customers to easily implement these security recommendations on their own automatically without issues.

      Thanks again, and please let us know if you had any other suggestions!

      – Jacob

Was this article helpful? Join the conversation!