How to prevent users to access wp admin and wp-login.php?

2 Views

I want restrict all users to access WordPress website login.

For example: Suppose I have WordPress website domain example1.com and I want to restrict all users to access admin login with example1.com/wp-admin and example1.com/wp-login.php.

Read More

When any user hits these url it redirect to restrict_user page and also I want to access wordpress login page with example1.com/user_login instead of hit example1.com/wp-admin and example1.com/wp-login.php urls.

And please suggest me how can i make my WordPress website more secure from hacking?

Post Views: 2

Related posts

3 comments

  1. You can lock down the wp-admin page with htaccess deny all and hen setting an allowed ip.

    order deny,allow
deny from all
allow from 127.0.0.1

    You can also set a htpasswd file with allowed logins and password protect the page. I would also make sure your username in wp-admin is not something easy like ‘admin’ or ‘editor’.

    <IfModule mod_auth.c>
 AuthUserFile /home/path/.htpasswd
 AuthName "Username and password required"
 AuthType Basic
 <Limit GET POST>
  Require valid-user
 </Limit>
</IfModule>

    Furthermore i would highly recommend wordfence as a good plugin for protection from hacks etc.

  2. Restricting access to wp-admin directory

    Apache 2.4+

    Add this snippet to your .htaccess file, created in wp-admin directory:

    <RequireAny>
    Require ip 64.176.174.0/255.255.255.0
    Require ip 64.176.176.0/255.255.255.0
</RequireAny>

    and add as many IP Address/Subnet Mask pairs, as you wish, regarding the client IP address you would like to have access to admin area. I have added two samples above.

    Apache 2.4-

    Add this snippet to your .htaccess file, created in wp-admin directory:

    <Directory>
    Order Deny,Allow
    Deny from all
    Allow from 64.176.174.0/255.255.255.0
</Directory>

    Restricting access to wp-login.php path

    Add this snippet to you current theme’s functions.php file:

    function my_checkRole(){
    if( !( current_user_can( 'administrator' ) ) && !( defined('DOING_AJAX') && DOING_AJAX ) ){
        wp_redirect( site_url( 'restrict_user' ) );
        exit;
    }
}

add_action( 'admin_init', 'my_checkRole' );

    Changing the wp-admin path

    It is possible to change it, but why do you think that has any value at all? You cannot hide anything from a Bot – that is just not possible to do.

    Hackers use automated Bot programs to find whatever they want to find.

    A good approach is Action Approach:

    hacker X does bad action Y and the result is Z = Forbidden.

    So just use the presented method in Restricting access to wp-login.php path section and that will be OK.

  3. From nginx, using php7.0-fpm on Ubuntu 16.04LTS.

    My base configuration I modified from:
    https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mysql-php-lemp-stack-in-ubuntu-16-04

    I found a bunch of configs online that tried to combine wp-login.php and wp-admin into the same rule, but allowed wp-login.php to be raw downloadable!
    Granted, its a generic WordPress file, but that is dangerous behaviour.

    I’ve separated the rules, since wp-admin is a folder, anything accessed within will follow generic rules for images/php/etc. For wp-login.php I wanted to specifically replicate php execution. I’ve allows full internal network access to 10.x.x.x.

      location ~ wp-login.php {
    allow 10.0.0.0/8
    deny all;
    include snippets/fastcgi-php.conf;
    fastcgi_pass unix:/run/php/php7.0-fpm.sock;
  }
  location /wp-admin/ {
    allow 10.0.0.0/8
    deny all;
    index index.php index.html index.htm;
    try_files $uri $uri/ /index.php?$args;
  }

Comments are closed.