WordPress Security

How to Super Secure Your WordPress Admin from Hackers – Changing Admin URL, Adding IP Restrictions & htpasswd

Updated on: June 18, 2020

How to Super Secure Your WordPress Admin from Hackers – Changing Admin URL, Adding IP Restrictions & htpasswd

Are you experiencing multiple bruteforce attempts on your WordPress admin area? If yes, then it’s high time you did something about it. In this tutorial, we will explain how you can change the default URL of your WordPress admin page. WordPress sites, by default, have one of these admin URLs – /wp-admin, /admin, /login on their website, which is widely known and poses a huge threat. Hence, we advise changing that.

Changing your default admin URL will add an additional layer of security to your login area by restricting arbitrary access. By protecting your admin area from unauthorized access, you can save yourself from an array of common security threats.

Changing the default admin URL is just one of the security methods to secure your admin area. Follow these crucial tips given in this extensive WordPress security guide to fully secure your WordPress.

1. Changing the Admin URL

You might know that by default, the “wp-login.php” file comprises of all the code that creates the login page. It also manages the login sequences. You can make use of the code from “wp-login.php” in your new file.

It is a simple but smarter way to alter the name of your “wp-login.php” file and it will eventually alter your login URL. You only need to access the files of your website and a text editor.

The steps are explained below:

  • Creating a New File: Open your text editor and create a new file. Now save it into the root folder. Give it a name whatever you want to see in place of your login URL.
  • Copy-Paste the Code: Now, you need to open up the “wp-login.php” file, select the code and then copy it into the new file. Don’t forget to save it.
  • Discover and Replace the String named “wp-login.php” You need to find and exchange all the occurrences of “wp-login.php” in the file with the name of your new file. If you are using Notepad++, then you can use the function, called “find and replace” to save your time.

  • Give a Test to Your New Login URL: In the end, you should be capable of logging by directing to your new URL. Now, if anyone tries to access /wp-login.php or /wp-admin directories, then he/she will get a ‘404 not-found page’.Download the Ultimate WordPress Security Checklist, helps you assure you’ve covered all the bases for your WordPress security.
  • 2. Using .htaccess for Hiding the WordPress Login Page

    For adding further security, you can conceal your WordPress login page through the utilization of the .htaccess file of your website. The two usual ways to conceal your login page with .htaccess are:

    1. Through the utilization of .htpasswd to need a password for accessing wp-admin
    2. Limiting access to wp-login by IP address

    Both of these ways have come straightforwardly from the WordPress codex entry on brute-force attacks, therefore, you can relax by knowing that they are WordPress approved.

    How to Secure WordPress Login With .htpasswd

    With the help of this procedure, a person attempting to access your wp-admin panel will get extra password this prompt. No username or password means, no login page and it is very simple to set up. You need to follow these three below-mentioned steps:

    1. Step 1: You need to go to Htpasswd Generator and then submit your preferred username and password. After that, you need to click Create .htpasswd file. The particular tool will encode your password automatically and provide you with the text to add to your .htpasswd file:



  • Step 2: You need to add that text to a file called “.htpasswd” and then upload it to your WordPress website’s root directory. Notepad can be used for the creation of the file. Don’t forget to save it using the “All Files” option.
  • Step 3: You need to add the below-mentioned code to the top of whatever is existing .htaccess file (also placed in the root directory of your website):[code inline=”false” scrollable=”false”]
    # Stop Apache from serving .ht* files
    <Files ~ “^\.ht”>
    Order allow,deny
    Deny from all
    # Protect wp-login
    <Files wp-login.php>
    AuthUserFile ~/.htpasswd
    AuthName “Private access”
    AuthType Basic
    require user yourusername
  • Don’t forget to replace “yourusername” with the real username that you have used in your .htpasswd file. You have done it. Now, enjoy this new security.

    You need to remember that it might not work with each and every hosting platform. Some of the companies are involved with other ways to conceal the login page through the contact to support.

    How to Hide WordPress Login by IP Address with .htaccess

    Another way through which you can use .htaccess for concealing your WordPress login is limiting by IP address. A person, who has an authorized IP address, will view your normal WordPress login page, while rest of the others will see the following:

    It is a good procedure in case you hold a static IP address and if not so many individuals need to access your website. Alternatively, you can proceed with the .htpasswd method. For this setting, you need to add the below-mentioned bit of code to the head of your .htaccess file. Additionally, you can discover your .htaccess file in your WordPress site’s root directory.

    [code inline=”false” scrollable=”false”]

    <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
    RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
    RewriteRule ^(.*)$ – [R=403,L]


    You need to replace “!^123\.123\.123\.123$” with your IP address’s numbers.

    If you want to permit multiple IP addresses for accessing to your website, then you need to add a new line for all addresses. For an instance, to give access to a second IP address, it will look as follows:

    [code inline=”false” scrollable=”false”] 
    <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
    RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
    RewriteCond %{REMOTE_ADDR} !^223\.223\.223\.223$
    RewriteRule ^(.*)$ – [R=403,L]


    Now, your login page is concealed from anyone having a non-authorized IP address.

    Astra’s Login Activity Shows All the Unsuccessful Bruteforce & Successful Legit Logins

    Still not sure of complete security? Astra keeps a tap of each successful & unsuccessful bruteforce attempt on your WordPress. You receive an hourly summary of all the unsuccessful and successful login attempts:

    Tags: ,

    Astra Team

    We are on a mission to make web a more secure place, one website at a time!
    Notify of

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    1 Comment
    Newest Most Voted
    Inline Feedbacks
    View all comments

    […] that of ionCube-encoded files to compromise various websites. Among the affected ones were sites based on WordPress, Joomla, and CodeIgniter. The malware allows hackers to create a backdoor on vulnerable websites, […]

    Psst! Hi there. We’re Astra.

    We make security simple and hassle-free for thousands
    of websites and businesses worldwide.

    Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

    earth spiders cards bugs spiders

    Made with ❤️ in USA France India Germany