There’s always a handful of ways to do anything, and using .htaccess to restrict access to your wp-login.php script fits right in to that logic.
I’m assuming that if you are reading this that you are already aware of the .htaccess file, if you are not…
The .htaccess file is a flat text file that is added to a directory that allows you to add configuration to the webserver for that directory, and all directories beneath it.
The Pros for using .htaccess to modify your websites configuration:
- It allows you to modify your websites configuration without editing the websites configuration file.
- It allows you to do things on the fly and test things before adding to your configuration, if you chose to do so.
- WordPress plugins can access and modify it.
- Each directory can potentially have its own configuration.
- It allows you to modify your websites configuration, which can stop your website from working
- Each item that is downloaded from your website will require a read to the file, creating a performance hit.
- WordPress plugins can modify it, which means unsafe plugins can have undesirable consequences.
In regards to the performance hit, the amount that it does effect is not noticable under normal circumstances, but I wanted to mention it so that the list is accurate. View Apache Performance Hit discussion.
How To Block Access to wp-login.php
With all the Pro’s and Con’s out of the way, lets get to the code.
First, get your IP address: Using Google
Your IP address will be a group of numbers that look like “22.214.171.124”, Your number Will be different.
If you aren’t comfortable with editing .htaccess files, make a backup, if you mess up just put the old one back.
There are multiple ways to edit your .htaccess file, WordPress Plugins, using SSH, using FTP, etc., use which works best for you.
In your .htaccess file, after the lines:
RewriteEngine On RewriteBase /
<Files wp-login.php> order deny,allow deny from all allow from <YOUR IP> </Files>
An Example using the IP address I showed earlier:
<Files wp-login.php> order deny,allow deny from all allow from 126.96.36.199 </Files>
I have noticed that some of the Spam bots will try to POST directly to xmlrpc.php. The way to combat this is to add it to the same FILES directive above:
<Files wp-login\.php | xmlrpc\.php> order deny,allow deny from all allow from 188.8.131.52 </Files>