You can enable tight login security for WordPress on Apache and NGINX rather easily. To do this on Apache you’ll use an .htaccess file in your webroot and on NGINX you’ll modify the configuration file for your site. This post will explain exactly how to do this on both server types (LAMP & LEMP).
The following edits will lock down your site so that only you can access the control panel (CMS) login screen. Others that try to access your site’s login will be redirected to the homepage, or whatever URL you specify in the configuration. This is for WordPress websites running on Apache.
Be sure to replace the loopback IP (127.0.0.1) in the example above with IP address of the machine you will be using to login to your WordPress website. If you aren’t sure what your IP address is, you can use IP Chicken to quickly find out your public facing IP address, not the local IP or NAT address. Adding the code above to the .htaccess file in the webroot of your WordPress website will prevent users from accessing the login by using https://yoursite.com/wp-login.php.
The WordPress login can also be accessed using a link to the wp-admin sub-folder (https://yoursite.com/wp-admin).
To lockdown the wp-admin folder add the second block of code shown above to the very top of the .htaccess file in the root of your wp-admin folder. If you don’t already have a .htaccess file inside your wp-admin folder, that’s ok, create a new one.
Make sure you replace the loopback IP (127.0.0.1) in the example above with the IP address of the machine you will be using to login. Once you have this setup, users attempting to access your login by using https://www.yoursite.com/wp-admin will be redirected to the homepage, or whatever URL you specify.
Important Note: If you are using Cloudflare on your WordPress website, the origin IP address of your site is being cloaked by default. This is a good thing but in order for the login security settings above to work, you’ll need to make an edit to your systems hosts file, pointing it to the origin IP of your WordPress website. The origin IP of your WordPress website will be the same IP that’s configured in your Cloudflare DNS settings for the A record and the WWW alias.
Open your hosts file with your favorite text editor. The location of the hosts file on Mac or Linux is /etc/hosts and on Windows it’s C:\Windows\System32\drivers\etc\hosts. On a new line at the bottom of the hosts file add the origin IP of your WordPress website press tab and then type your domain, example below:
Like the example above you might want to be safe and add two lines one for the WWW version of your domain and another without. This will make sure the login security settings outlined in this article will work no matter if you access your site with or without the WWW. You should have one version of your domain already forced but that’s outside the scope of this article.
If you are running your WordPress website on NGINX, add the following examples to your sites configuration file (or you can lockdown all WordPress websites running on the server by adding the code to the global NGINX config file (/etc/nginx/nginx.conf).