InMotion Hosting Support Center
If you are a website administrator, security should be at the top of your list. That's why your first step should be to work with Inmotion's WordPress Hosting team to get your website up and running. After that, you can lock down the WordPress admin login with some .htaccess rules to prevent unauthorized login attempts.

Limit WordPress admin login attempts

This guide will show how you to limit WordPress admin login attempts by IP address, or referrer. Below we'll show you, how to get to your .htaccess file, and what edits to make, to limit WordPress admin logins.
  1. Log into your cPanel.
  2. Find the Files category and click on the File Manager icon. cpanel
  3. Click Settings at the top right corner.
  4. cpanel
    • Select the Document Root for your domain and check the box next to Show Hidden Files. Click Save. file-manager-show-hidden
    • Right-click the .htaccess file and select the Edit option. file-manager-htaccess
    • If you have a text editor encoding dialog box pop up, simply click Edit.

    The following rules should be placed at the very top of your .htaccess file.

    How to restrict WordPress admin access

    Secondary WordPress admin .htaccess password (Recommended if your IP changes)

    A single IP address

    Multiple IP addresses

    Trusted referrers

 

Single IP address access

  You can check your IP to get your computer's IP address.  
If you are using CloudFlare or a DNS level filtering service, this method won't work, you'll want to setup a secondary WordPress .htaccess password for protection instead.
To allow access from a single IP address, replace 123\.123\.123\.123 with your own IP address:

RewriteEngine on RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR] RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$ RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$ RewriteRule ^(.*)$ - [R=403,L]

 

Multiple IP address access

  You can check your IP to get your computer's IP address.  
If you are using CloudFlare or a DNS level filtering service, this method won't work, you'll want to setup a secondary WordPress .htaccess password for protection instead.
To allow access from multiple IP addresses, replace 123\.123\.123\.xxx with your own IP addresses:

RewriteEngine on RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR] RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$ RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.121$ RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.122$ RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$ RewriteRule ^(.*)$ - [R=403,L]

 

Dynamic IP address access, limit by referer

If your IP address changes, you can protect your WordPress site by only allowing login requests that come directly from your domain name. Simply replace example\.com with your own domain name Most brute force attacks rely on sending direct POST requests right to your wp-login.php script. So requiring a POST request to have your domain as the referrer can help weed out bots.

RewriteEngine on RewriteCond %{REQUEST_METHOD} POST RewriteCond %{HTTP_REFERER} !^http://(.*)?example\.com [NC] RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR] RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$ RewriteRule ^(.*)$ - [F]

  • Wait at least 15-20 minutes, and try to log into your WordPress site again. If you try to access the WordPress dashboard within the 15 minute window of a block, this could extend the block longer.
It's important to wait for the previous block to expire and be patient before attempting to access your WordPress site again. You should now be blocking unauthorized WordPress admin login attempts utilizing .htaccess rules.
Was this article helpful?

Related Questions

Here are a few questions related to this article that our customers have asked:
I am getting a 404 error on the Wordpress Admin Page
How long will my WordPress Admin Login be disabled?
Error 406 when trying to log in to wordpress site
Would you like to ask a question about this page? If so, click the button below!
Ask a Question

Support Center Login

Our Login page has moved, Click the button below to be taken to the login page.