Limit access to WordPress wp-admin

Last Revised: October 2, 2021

Although we can change the default folders of the system, it is not possible to change those of the administration [/wp-admin/]. There are two options in this case.

Blocking by IP or username/password

The first and most common is the one that is usually suggested is to block access to this folder limited to a series of IPs, but we also know that in general (at least with IPv4) users do not usually have a fixed IP to access there. So if you have fixed IP, you could configure it, but if not, this option is not so viable.

In Apache HTTPD (inside the file .htaccess in the folder /wp-admin/) you can limit your connection to a specific IP:

order deny, allow
allow from
deny from all

You have to change to your IP address

Another possibility would be to show an operating system user access message (which does not depend on WordPress) being able to block, for example, requests to the page of /wp-login.php:

<Files wp-login.php>
   AuthUserFile ~/.htpasswd
   AuthName "Acceso privado bajo llave"
   AuthType Basic
   require user miusuariosecreto

In the same way, in nginx you can configure the following:

location /wp-admin {
  deny all;

You have to change to your IP address

And it could also be set up under a password prompt:

location /wp-login.php {
  auth_basic "Acceso privado bajo llave";
  auth_basic_user_file .htpasswd;

If you want to have several users and passwords, you must configure the file .htpasswd with the accesses as appropriate.

Change wp-admin URL

The second is to use a plugin that allows you to change the URL, more similar to the previous changes. One of them is WPS Hide Login, which will allow you to change access.

Keep in mind that in either case a series of associated problems are generated. To start caches; if you use a system you must configure it so that it does not cache this new address. On the other are the asynchronous AJAX calls that are usually made to files in this folder: if you lock the folder to an IP or change the name, you may lose all this functionality.

To avoid this, in Apache HTTPD you should unlock access to the file:

<Files admin-ajax.php>
  Order allow, deny
  Allow from all
  Satisfy any

And in the same way, in nginx:

location /wp-admin/admin-ajax.php {
  allow all;

Brute force attacks

In addition to the blocked access of known users, you also have to have systems that prevent the attack by volume of access attempts in a period of time. Some systems that limit access such as Limit Login Attempt allow you to configure how many opportunities a user has to access from an IP address in a period of time. In this way, if there is a brute force attack of user / password, attempts can be blocked for a defined period.

Automatic disconnection

Another moment to keep in mind is that user who accesses the panel, leaves it open and “leaves”. This inactive user who leaves their session open later may run into trouble because someone has used their account to perform misdeeds. For this we can use a plugin such as Inactive Logout that allows a user connected to the panel, but inactive for a series of minutes, to receive a warning message if he wants to remain connected to the panel, and if he does not answer it, he is expelled, so later he will have to reconnect.

Account Verification

When you try to access the administration panel and when you put your username or password gives an error, that message gives a glimpse if what has failed is the username and password, or only the password (so implicitly you are saying that that user does exist). These error messages, which can be so clear, can be overwritten using a plugin.

function disable_wordpress_login_errors() {
  return 'Meeeeec!';
add_filter('login_errors', 'disable_wordpress_login_errors');

Step-by-step instructions

  1. Create the plugin or download it already created (unzip the ZIP file).
  2. Ftp access the [/wp-content/mu-plugins/] folder. If you don’t have this folder, create it.
  3. FTP upload the file [wpdanger-login.php] to the folder [/wp-content/mu-plugins/].
  4. When you enter the administration panel of your WordPress, in the Plugins area you will have a new section of Essential plugins where it will appear. Remember that being Essential you will not be able to activate or deactivate it.

Seguir con Seguridad para WordPress

About this document

This document is regulated by the EUPL v1.2 license, published in WP SysAdmin and created by Javier Casares. Please, if you use this content in your website, your presentation or any material you distribute, remember to mention this site or its author, and having to put the material you create under EUPL license.