How to Limit Access to WordPress Admin Directory?


More than 60 million websites are currently operated by WordPress, which makes it the most common CMS. Since success attracts both good and bad interest, any minute of the day, WordPress pages appear to encounter 90000 hack attempts. Unfortunately, when it comes to site management, there is no magic bullet that can deliver security on all fronts. Instead, you have to do certain things to ensure that your site is protected from hackers by enforcing encryption on different fonts. The method of inserting multiple layers of security is referred to as layered defence. We spoke earlier about protective mechanisms, such as using HTTP authentication, two-factor authentication, strong usernames and passwords. We are studying another security approach today under which you can block access to the WordPress admin directory.

Where the main WordPress files live is the WordPress admin directory. The files in it allow users like yourself to perform different administrative functions. For example, WordPress checks whether the credentials you have presented are right as you want to log in to the dashboard, or if you are an admin or a basic blogger with restricted access to the web. Files in the wp-admin folder allow these tasks to be carried out by WordPress.

They can change the files to further their own motives when hackers get access to your site. They could begin to decide who gets access to the website and who doesn’t. There is a real risk that management and the website owner may be blocked out. You may lose access to a place of your own. This is why it is mandatory to take early care. Limiting entry to your WordPress admin directory restricts your account from being taken over by hackers.

The best way to describe how the constraint functions is with an analogy. If a house was your website, and then your WordPress admin directory is the entrance to the house. Now, if you deploy a guard at the entrance, your home is further secured (read, the site). The guard is responsible for confirming each visitor’s (read IP address) and then approving or refusing entry to the building (i.e. website). In this article, we’ll teach you how to use IP addresses to control access to the WordPress admin directory. This simply means that you can only block unique rogue IP addresses from entering the WordPress site’s admin directory.

It’s important to remember, before we start, that you need to make sure your IP address is static. We recommend you do a Google search or chat to your internet company if you are not sure about your IP address.

Limit your WordPress Admin Directory access:

To get started, you can first download the .htaccess file from your File Manager. Take the following steps:

Step 1: Sign in to your account with your web host and go to a website named cPanel. There, you should be able to find a File Manager option. Choose that, and a page opens that looks something like this:

wordpress-admin-directory-cPanelStep 2: This is a standard page for a file manager. There are a bunch of files on the left-hand page. Choose public-html, and you can see a drop-down.

Step 3: There will be a folder called wp-admin in the drop-down. In this folder, you can find a file with .htaccess. You’d note that, unlike other directory directories, .htaccess does not have an extension such as .html or .txt. Uh, or PHP.

Step 4: What you need to do is download the file using the download button on the File Manager tab to download the .htaccess file. It needs to look more like the illustration below:

In the public html archive, .htaccess is often concealed and does not appear. What you need to do when that’s the case is go back to cPanel and press File Manager. There will be a popup where you need to pick ‘Display Secret Files’.

wordpress-admin-directory-hidden-.htaccessfilesIf you figure out that there is no .htaccess file on your website, you’ll need to build a new one.

After you have downloaded a file called .htaccess, open it. It is expected to look more like the illustration below:


Step 5: Apply the following code at the end of the .htaccess file:

order deny, allow 

allow from your.IP.address 

deny from all

Note: Instead of ‘IP.address.1’ and ‘IP.address.2’, put the IP address that you want to blacklist.

Step 6: You will need to upload the file to the public html directory of the File Manager once you are finished. The Upload alternative should appear on the File Manager tab.

limit-wordpress-admin-directory-filemanagerThe IP’s you listed will be blocked after you upload the file. They can see a ‘403 Banned’ error on the website as these IP addresses attempt to enter your site.

Make sure the .htaccess file you changed was from the ‘wp-admin’ directory and not from the WordPress’s root directory (i.e. public html). In the root directory, there is a .htaccess file and we are not making any changes to it. If you change the .htaccess file in the ‘wp-admin’ directory by mistake, then all visits to your site will be disabled. That you don’t like. That is why we would suggest that you be very patient.

When you restrict access to the WordPress admin directory using IP, there is one problem that can occur. It abuses the Ajax features of the front-end. This specific feature allows web pages to display updates in real-time. For eg, you can use a plugin on your website that allows Twitter to feed you. It immediately appears on the web every time you tweet something. To see the tweet, you don’t need to reload the tab. Thanks to the Ajax feature, this is possible.

You’ll need to figure out if all of your plugins use Ajax on the front end to avoid breaking the front-end Ajax option. If so, then you’ll have to apply the following code from the wp-admin directory to your .htaccess file.

<Files admin-ajax.php> 

order allow, deny 

allow from all 

satisfy any </Files>

Which it is.

Towards You Over

You’d have to have some understanding of WordPress files to restrict access to the WordPress admin directory. We hope that your site will be a little more stable after reading this article than it was before. If you have questions or comments, please email us. Thanks for caring, then.