I’m dealing with this matter since a while, I have read a ton of articles and stuff out there but I couldn’t find a place that shows the RIGHT way, standard, correct, whatever you like to call it, to prevent access to my wp-admin or wp-login.php
On all WordPress sites I see (the well made ones) you will never see anything if you type thesite.com/wp-admin
As I could see, one way to do this is by restricting the access to that folder by creating an .htaccess file and restrict by IP the access to the folder. Seems to be the “cleanest” way to do. What I’m not sure about it is that I have a dynamic address provided by my ISP, so on a certain time my IP will change, that will force me to also change the .htaccess to my new address, I don’t see that practical. I can set a range also, but by doing that I will also authorize access to all people within that range of IPs (other clients of my ISP for example).
I’m then struggling to find the best/standard way to do this.
Anyone can help me?
Thanks
From this Codex discussion – this blog article claims to provide a solution for renaming
wp-admin
. I haven’t tested it, but it does seem to have worked for people.However,
As an alternative, there’s also the option of adding an Apache
.htaccess
password dialog on top of the wp-admin login. That won’t hide it, but it will provide another (albeit annoying) layer of security.I’m not aware of a good .htaccess way to limit access IP-wise if you have a dynamic IP, or want to access the site from different networks.
I think it would be possible to work your way around the drawbacks described above by adding filters for
admin_url
(or possibly evensite_url
if you just check the$path
parameter).This is pretty much untested but will probably be a good starting point:
Also, if your on a network site you might want to take the
$blog_id
parameter into account and/or do the very same thing for thenetwork_admin_url
filter.There is an article on how to secure wp-admin. It also has its drawbacks, since it gets overwritten every time you update wordpress, but it gets the job done.