How to keep hackers our of WordPress

Website Monitoring and Hack Detection

Create Free Account
There are great many ways into your website, and WordPress is one of the most common. Protecting your WordPress admin area is as easy as adding 3 lines of code (Apache directives) to a file named .htaccess in your "/wp-admin" folder.

Most Apache websites have .htaccess (hyper text access) management enabled. These files allow you to change the Apache configuration directives at a directory level (so you don't affect other directories or users on the same machine). Luckily, the WordPress administration section is suitably structured for targeted protection. Placing a .htaccess file in the "/wp-admin" folder, will not affect the public side of your WordPress driven website, meaning legitimate visitors to your website will be able to browse your website, while the administrative area is locked down to those who you explicitly permit access to.

There's also a second option available which enables you to protect files rather than directories. And you can use this option to prevent access to the WordPress wp-login.php script which is normally located at your web space's root level, the same level as your home page. This article will teach you how to apply both levels of protection. You can use either one of them alone, or both of them for even greater security.


1. Protecting the Word Press admin directory.
2. Protecting the WordPress login script.

Protecting the Word Press admin directory.

Your "wp-admin" folder is usually located at web level, here are some common paths to the folder you should protect:

/httpdocs/wp-admin
/public_html/wp-admin
/htdocs/wp-admin
/httpsdocs/wp-admin
/subdomainname/wp-admin
To enable .htaccess protection of your WordPress Installation:

  1. On your local computer, open up the Notepad program (TextEdit program if using Mac OS X) and add the following directives :
    order deny,allow
    deny from all
    allow from 11.22.33.44
    Use your actual IP address in place of the 11.22.33.44 example IP Address. You can see your IP Address by going to http://www.whatsmyip.org/.

  2. Close the file, saving it with the following filename: .htaccess

    The file name must start with a period (.) which may make it invisible on some Operating Systems depending on your FTP program's or Shell Script's settings.

  3. FTP Upload the .htaccess file to the /wp-admin folder on your website server. Again, once uploaded to the server, the file may become invisible, depending on your FTP program's settings.

  4. Load the WordPress Admin Login Page in your web browser. You should see the WordPress Login screen as you expect, because the log in page (URL) is above the /wp-admin folder. Remember, the directives you add to the .htaccess file only apply to the directory they are uploaded to and any sub-directory contained with in it.

    The log in form displayed, actually points to another script which is contained within the protected directory. Submitting the log in form, will trigger the .htaccess file's directives. If your IP address is not defined, you will see a 403 Forbidden Access error.

What's the order or execution

Directives can processed and followed in many orders. In our example above, we're telling Apache to first deny then to allow. Then we tell Apache, who to deny, before we tell it who to allow, by saying deny from all, then allow from 11.22.33.44. This is a simple way of denying access to the whole world, except the specific Users we'd like to invite in.

Testing the Protected WordPress Installation

  1. If you've added your correct IP Address to the .htaccess file, edit it, entering a random IP Address instead.
    order deny,allow
    deny from all
    allow from 11.22.33.44
    Re-upload via FTP to your website server. Then go to the WordPress log in screen, and try to log in again. If .htaccess support is enabled, because your IP Address is no longer defined as a permitted address, you should see a 403 Forbidden Access error.

  2. The second way to test .htaccess support is enabled and your directives are being processed would be to delete the .htaccess file. Deleting the file .htaccess file removes the protection and allows any user on any IP address to access the directory. Re-creating the .htaccess file re-enables the protection.
If your website is hosted on a Unix/Linux server, there's no logical reason why your host would disable .htaccess support. If it's not supported, it's either an oversight, a configuration error, or an over zealous system security administrator. We've seen a few of those in our time, but very seldomly. Contact your host and ask them to enable it ... as a matter of security.

Allowing IP Ranges in your directives.

Many Users are assigned dynamic IP Addresses by their ISP when connecting to the Internet. So adding a full IP Address to your .htaccess file may not be very practical because your IP Address would change every time you connected. Luckily you can add multiple IP Addresses (so you can permit your home and office computers access) and you can also easily add a range of IP Addresses. Your ISP will usually assign you an IP Address from the same range.
  1. Adding multiple IP Address is as simple as adding multiple allow from directives :
    order deny,allow
    deny from all
    allow from 11.22.33.44
    allow from 55.66.77.88
    allow from 99.11.33.33
  2. Adding IP Ranges is just as easy
    order deny,allow
    deny from all
    allow from 11.22.33.0/24
    allow from 55.66.0.0/16
    allow from 99.0.0.0/8
Take care not to open the ranges up too far. In the above example, the first directive would allow access to anyone using an IP Address from 11.22.33.0 all the way through to 11.22.33.255 and everything in between.

The second directive would allow access to anyone using an IP Address from 55.66.0.0 all the way through to 55.66.255.255 and everything in between. And so on. In other words, if you IP Address always started with either 11.22.33 or 55.66. then you'd be granted access.

Protecting the WordPress login script.

Your WordPress login script (wp-login.php) is usually located at web level, the same level as your home page. So you should be able to access it by typing :
http://www.YOUR-DOMAIN-NAME.com/wp-login.php
To protect this file, and just this file, with .htaccess, by allowing only permitted IP addresses to access it, you'll need to create or edit a .htaccess file just like in Option 1 described above. Remember, you may already have a .htaccess file on your server, so check first, to ensure you don't overwrite some other directives required for your website to properly function.
  1. On your local computer, open up the Notepad program (TextEdit program if using Mac OS X) and add the following directives :
    <Files wp-login.php>
    order deny,allow
    deny from all
    allow from 11.22.33.44
    </Files>
    Use your actual IP address in place of the 11.22.33.44 example IP Address. You can see your IP Address by going to http://www.whatsmyip.org/.

  2. Close the file, saving it with the following filename: .htaccess

    The file name must start with a period (.) which may make it invisible on some Operating Systems depending on your FTP program or Shell script's settings.

  3. FTP Upload the .htaccess file to the same folder your home page is stored in. Again, once uploaded to the server, the file may become invisible, depending on your FTP program's settings.

  4. Load the WordPress Admin Login Page in your web browser. Now, if the IP address you entered in the .htaccess file is your IP Address, you should see the WordPress Login screen as you expect, however if you entered some other IP address, you should see a 403 Forbidden Access error.

You can also permit multiple IP Addresses or IP ranges if you're on a dynamic (changing) IP Address so you're not editing the .htaccess file every time you connect to the Internet. Scroll up a little to Allowing IP Ranges in your directives to see how.

Now, we're not saying you're completely safe, you should continue to exercise caution, remain up to date with WordPress security releases and follow some other simple tips on keep WordPress secure, but what we are saying is that only the defined IPs will now have access to the WordPress admin area. So only permitted Users will be able to log in, try to log in, try to hack in and try brute force attacks on your installation. We've seen it happen many times, on many servers all over the world. Once a hacker has gained access to WordPress, well you know how much access they have to your website, we don't need to tell you what they can do.