WordPress Admin Security

Yeah there are a lot of script kiddies out there scanning word press sites and brute forcing word press admin logins. There are ways you can limit access to the wordpress admin panel from restricted set IP Address or block unwanted browser agents. Here are some examples using .htaccess and rewrite :


Most likely there is already an .htaccess file inside your wordpress directory. Add the following snippets to your .htaccess file :


Restrict WP Admin to known IP Address only and throw 404 for everyone else, You can add multiple IP Addresses on new line:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^192\.168\.100\.111$
RewriteRule ^(.*)$ - [R=404,L]


You can block by different SERVER variables in the same manner. Below are some examples.

Block By Referrer :

RewriteCond %{HTTP_REFERER} !^http://(.*)?yoursite\.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ - [F]


Block By User Agent :

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^.*(Mechanize).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} ^.*(Baiduspider|HTTrack|Yandex).*$ [NC]
RewriteRule .* - [F,L]