WordPress Tight Login Security

February 19th, 2020   /   By Andrew Currie

Learn more about WordPress Tight Login Security

You can enable tight login security for WordPress on Apache and NGINX rather easily. To do this on Apache you’ll use an .htaccess file in your webroot and on NGINX you’ll modify the configuration file for your site. This post will explain exactly how to do this on both server types (LAMP & LEMP). Be sure to replace the loopback IP (127.0.0.1) in the example below with IP address of the machine you will be using to login to your WordPress website. If you aren’t sure what your IP address is, you can use IP Chicken to quickly find out your public facing IP address, not the local IP or NAT address. Adding the code above to the .htaccess file in the webroot of your WordPress website will prevent users from accessing the login by using https://yoursite.com/wp-login.php.

The WordPress login can also be accessed using https://yoursite.com/wp-login.php -OR- https://yoursite.com/wp-admin. To lockdown these links, you'll add the first block to the .htaccess file in your webroot and the second block to the .htaccess file in the wp-admin sub-folder of your site. If you don’t already have an .htaccess file inside your wp-admin folder, that’s ok, create a new one.

Make sure you replace the IP (X.X.X.X) in the examples with the IP address of the machine you will be using to login. Once you have this setup, users attempting to access your login by using https://yoursite.com/wp-login.php -OR- https://www.yoursite.com/wp-admin will be redirected to the homepage, or whatever URL you specify.

Important Note: If you are using Cloudflare on your WordPress website, the origin IP address of your site is being cloaked by default. This is a good thing but in order for the login security settings above to work, you’ll need to make an edit to your systems hosts file, pointing it to the origin IP of your WordPress website. The origin IP of your WordPress website will be the same IP that’s configured in your Cloudflare DNS settings for the A record and the WWW alias.

Open your hosts file with your favorite text editor. The location of the hosts file on Mac or Linux is /etc/hosts and on Windows it’s C:\Windows\System32\drivers\etc\hosts. On a new line at the bottom of the hosts file add the origin IP of your WordPress website press tab and then type your domain, example below (replace loopback IP with your webserver's origin IP address:

127.0.0.1 yoursite.com
127.0.0.1 www.yoursite.com

If you are running your WordPress website on NGINX, add the third example to the server block of your websites NGINX configuration (/etc/nginx/nginx.conf -OR- /etc/nginx/conf.d/yoursite.com.conf).

Digital PCI What is Digital PCI? Website Development Digital PCI Radio
Tools Version Control System Code Unminifier DNS Lookup
QuickLinks Member Login Contact Us

© 2025