What’s the correct way to hide/prevent access to wp-admin

I’m dealing with this matter since a while, I have read a ton of articles and stuff out there but I couldn’t find a place that shows the RIGHT way, standard, correct, whatever you like to call it, to prevent access to my wp-admin or wp-login.php

On all WordPress sites I see (the well made ones) you will never see anything if you type thesite.com/wp-admin

Read More

As I could see, one way to do this is by restricting the access to that folder by creating an .htaccess file and restrict by IP the access to the folder. Seems to be the “cleanest” way to do. What I’m not sure about it is that I have a dynamic address provided by my ISP, so on a certain time my IP will change, that will force me to also change the .htaccess to my new address, I don’t see that practical. I can set a range also, but by doing that I will also authorize access to all people within that range of IPs (other clients of my ISP for example).

I’m then struggling to find the best/standard way to do this.

Anyone can help me?

Thanks

Related posts

Leave a Reply

3 comments

  1. From this Codex discussionthis blog article claims to provide a solution for renaming wp-admin. I haven’t tested it, but it does seem to have worked for people.

    However,

    This hack has its drawbacks.

    • The “edit” link on your posts will no longer work. You may want to remove it from your theme.
    • The admin link on your side bar will no longer work. You may want to remove it from your theme.
    • The standard login link will no longer work. Instead, use a bookmark as it will redirect you back to your hidden login page after you finish logging in.

    As an alternative, there’s also the option of adding an Apache .htaccess password dialog on top of the wp-admin login. That won’t hide it, but it will provide another (albeit annoying) layer of security.

    I’m not aware of a good .htaccess way to limit access IP-wise if you have a dynamic IP, or want to access the site from different networks.

  2. I think it would be possible to work your way around the drawbacks described above by adding filters for admin_url (or possibly even site_url if you just check the $path parameter).

    This is pretty much untested but will probably be a good starting point:

    function my_admin_url($url = null, $path = null, $blog_id = null) {
    
        // This our `wp-admin` replacement
        // probably wiser to use a filter/function for this, so that you can
        // do it dynamically by checking for the actual directory or something
        $custom_admin_dir = 'my-admin';
    
        // Remove filename.php
        if (!empty($path))
            $url = dirname($url);
    
        // Remove wp-admin
        $url = dirname($url);
    
        // Build up a new URL
        $url = trailingslashit(trailingslashit($url) . $custom_admin_dir) . $path;
    
        return $url;
    }
    
    add_filter('admin_url', 'my_admin_url', 10, 3);
    

    Also, if your on a network site you might want to take the $blog_id parameter into account and/or do the very same thing for the network_admin_url filter.