Are you experiencing multiple bruteforce attempts on your WordPress admin area? If yes, then it’s a high time to do something about it. In this tutorial, we exploit how your can change the URL of WordPress admin, add an additional layer of security to your login area and how to restrict WordPress admin area by IP. By protecting your admin area from unauthorized access, you can save yourself from an array of common security threats. You just need to follow some of the crucial tips to save your WordPress admin area. The first method includes changing the admin URL and the second one includes adding additional layer of security on your WordPress admin.

1. Changing the Admin URL

You might know that by default, the “wp-login.php” file comprises of all the code that creates the login page. It also manages the login sequences. You can make use of the code from “wp-login.php” in your new file.

It is a simple but smarter way to alter the name of your “wp-login.php” file and it will eventually alter your login URL. You only need to access the files of your website and a text editor.

The steps are explained below:

  • Creating a New File: Open your text editor and create a new file. Now save it into the root folder. Give it a name whatever you want to see in place of your login URL.
  • Copy-Paste the Code: Now, you need to open up the “wp-login.php” file, select the code and then copy it into the new file. Don’t forget to save it.
  • Discover and Replace the String named “wp-login.php” You need to find and exchange all the occurrences of “wp-login.php” in the file with the name of your new file. If you are using Notepad++, then you can use the function, called “find and replace” to save your time.
  • Delete the wp-login.php File Now, you should delete “wp-login.php”. Don’t take any stress because you will have your backup in case any error (s) happened. Source
  • Give a Test to Your New Login URL: In the end, you should be capable of logging by directing to your new URL. Now, if anyone tries to access /wp-login.php or /wp-admin directories, then he/she will get a ‘404 not-found page’.Download the Ultimate WordPress Security Checklist, helps you assure you’ve covered all the bases for your WordPress security.

2. Using .htaccess for Hiding the WordPress Login Page

For adding further security, you can conceal your WordPress login page through the utilization of the .htaccess file of your website. The two usual ways to conceal your login page with .htaccess are:

  1. Through the utilization of .htpasswd to need a password for accessing wp-admin
  2. Limiting access to wp-login by IP address

Both of these ways have come straightforwardly from the WordPress codex entry on brute-force attacks, therefore, you can relax by knowing that they are WordPress approved.

How to Secure WordPress Login With .htpasswd


With the help of this procedure, a person attempting to access your wp-admin panel will get extra password this prompt. No username or password means, no login page and it is very simple to set up. You need to follow these three below-mentioned steps:

  1. Step 1: You need to go to Htpasswd Generator and then submit your preferred username and password. After that, you need to click Create .htpasswd file. The particular tool will encode your password automatically and provide you with the text to add to your .htpasswd file:


  2. Step 2: You need to add that text to a file called “.htpasswd” and then upload it to your WordPress website’s root directory. Notepad can be used for the creation of the file. Don’t forget to save it using the “All Files” option.
  3. Step 3: You need to add the below-mentioned code to the top of whatever is existing .htaccess file (also placed in the root directory of your website):
    # Stop Apache from serving .ht* files
    <Files ~ "^\.ht">
    Order allow,deny
    Deny from all
    # Protect wp-login
    <Files wp-login.php>
    AuthUserFile ~/.htpasswd
    AuthName "Private access"
    AuthType Basic
    require user yourusername

Don’t forget to replace “yourusername” with the real username that you have used in your .htpasswd file. You have done it. Now, enjoy this new security.

You need to remember that it might not work with each and every hosting platform. Some of the companies are involved with other ways to conceal the login page through the contact to support.

How to Hide WordPress Login by IP Address with .htaccess

Another way through which you can use .htaccess for concealing your WordPress login is limiting by IP address. A person, who has an authorized IP address, will view your normal WordPress login page, while rest of the others will see the following:


It is a good procedure in case you hold a static IP address and if not so many individuals need to access your website. Alternatively, you can proceed with the .htpasswd method. For this setting, you need to add the below-mentioned bit of code to the head of your .htaccess file. Additionally, you can discover your .htaccess file in your WordPress site’s root directory.

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR] RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteRule ^(.*)$ - [R=403,L] </IfModule>

You need to replace “!^123\.123\.123\.123$” with your IP address’s numbers.

If you want to permit multiple IP addresses for accessing to your website, then you need to add a new line for all addresses. For an instance, to give access to a second IP address, it will look as follows:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR] RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteCond %{REMOTE_ADDR} !^223\.223\.223\.223$
RewriteRule ^(.*)$ - [R=403,L] </IfModule>

Now, your login page is concealed from anyone having a non-authorized IP address.

Astra’s Login Activity Shows All the Unsuccessful Bruteforce & Successful Legit Logins

Still not sure of complete security? Astra keeps a tap of each successful & unsuccessful bruteforce attempt on your WordPress. You receive an hourly summary of all the unsuccessful and successful login attempts:

Was this post helpful?

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Astra Team

We are on a mission to make web a more secure place, one website at a time!

1 Comment

  1. Hacked WordPress, Joomla & CodeIgniter Website? This ionCube Malware Could be the Cause - Astra Web Security Blog - Reply

    […] that of ionCube-encoded files to compromise various websites. Among the affected ones were sites based on WordPress, Joomla, and CodeIgniter. The malware allows hackers to create a backdoor on vulnerable websites, […]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.