How to Block Access to wp-login.php  Print this Article

Skip to end of metadata
Go to start of metadata

If you’re using an Apache server (if you are a shared hosting customer of ours, use the Nginx option below), put this code in a .htaccess file within your wp-admin directory.

 # Block access to wp-admin - replace x.x.x.x and y.y.y.y with your IP addresses.
order deny,allow
allow from x.x.x.x
allow from y.y.y.y
deny from all

# Allow access to wp-admin/admin-ajax.php

Order allow,deny
Allow from all
Satisfy any

If you’re on Nginx (If you are a shared hosting customer, this is the option for you), use the following code and replace x.x.x.x and y.y.y.y with your own IP addresses:

error_page 403;
location /wp-admin {
allow x.x.x.x;
allow y.y.y.y;
deny all;
location /wp-admin/admin-ajax.php {
allow all;

Another method that will block access without the concern of being blocked if your IP changes would be to password protect your login page at the server level. This results in one more level of logging in, but is only a very minor inconvenience. You will want to start with generating a .htpasswd file and uploading it to your server; preferably not in a publicly accessible directory. Once you’ve generated that file and uploaded it to your server, and you’re using Apache, go ahead and add the following code to the .htaccess file in your wp-admin directory (or create the file if it doesn’t already exist). Make sure to update the path in the AuthUserFile line to match the location of the .htpasswd file you created.

# Protect wp-login

AuthUserFile /path/to/your/.htpasswd
AuthName "Login Required"
AuthType Basic
require valid-user

If you’re using Nginx, you can use the following code in your configuration:

location /wp-login.php {

auth_basic "Administrator Login";
auth_basic_user_file .htpasswd;

If your host allows, you can pair this basic authentication method with fail2ban for Apache or Nginx (if you are a Dynamic customer, we do this for you) and create rules where an abusive IP address gets added to your server’s firewall rules and is blocked for a specified period of time.

Was this answer helpful?

Related Articles

How to Make a WordPress Staging Area Using Plesk
This post was written to help our customers (and others) who are looking to easily make a staging...
How to add a Facebook pixel without a plugin
What is a Facebook pixel, and why do you need one? Essentially the Facebook pixel allows Facebook...