Most WordPress users are familiar with brute-force login attacks on their websites. Without proper defence through an appropriate security plugin, this can be a severe drain on your server – even without any person or bot managing to guess your password.

What some people may be less aware of, though, is that there is a much more efficient and reliable way to lock down your WordPress login page and admin area through your .htaccess file.


  • Access to your server via FTP and/or SSH in order to edit your .htaccess file
  • Willingness to update the .htaccess file every time you want to access your site from a new IP address

What is an .htaccess file?

Put simply, this is a small hidden file that can be placed in any directory and then tells the server how to behave. It is used by WordPress itself to generate appropriate page URLs according to your settings.

Why not just rely on security plugins?

Security plugins generally work based on an “innocent-until-proven-guilty” principle, i.e. blocking bad IPs as they break the rules defined by you or the plugin itself. This can cause a heavy load on the server. Why you might still want something like Wordfence to protect against content-ripping bots, spammers, and other malicious activity, there’s no reason to make its job harder than it needs to be. A small adjustment to the .htaccess file means Wordfence or whatever plugin you are using no longer has to monitor IP addresses trying to access your website, when 99.9% will not be legitimate (i.e. you) anyway.

Advantages of this approach

  • Much better security: only an IP you specify will even see that the page exists.
  • Much lower server drain than using a plug-in to monitor login failures.

Disadvantages of this approach:

  • You can no longer just log into your WordPress page “on the fly” from a new IP address: you have to edit the .htaccess file to add your new IP address.
  • …This can be a lot more work if you are assigned a dynamic IP address by your internet services provider. In my case, I am assigned a new IP every time I reset the router.


  • It protects both your login page and the admin area – providing effective protection against a number of script-based attacks.
  • This .htaccess file goes in the root directory of your WordPress installation.
  • This can also be used with ipv6 addresses.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L] RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR] RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^$
RewriteRule ^(.*)$ – [R=404,L] </IfModule>

The first half there is just the part that WordPress needs to rewrite page names. I am including again here in case people accidentally overwrite it and go into a panic. The only part you actually need to include is:

RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{