If you are using WordPress to power your blog then you have to block WordPress back end login page or else you might fall prone to brute force attacks and have your website hacked. This is probably one of the best ways to secure WordPress sites because only white-listed IP addresses can access WordPress admin. One other problem with not blocking access to your blog’s back-end is an increase in resource usage since brute-force attacks consume a lot of CPU memory and I/O resources.
If you are signed to a shared hosting plan and your I/O usage is full almost all the time even with less traffic then you have to block access to WordPress site’s back end page and see if it improves your performance. A hacker could be trying to hack your website and for that reason, your resource usage rises. I tried using this trick before on one of my news blogs and my usage dropped the moment i added a restriction code to my WordPress htaccess file. Only my IP Address had access to log into WordPress admin page which made me more secure even without using a plugin.
How do we block WordPress back end
You can block WordPress back-end by either using plugins or adding code to your htaccess WordPress file. I recommend going with the .htaccess method because it doesn’t consume any resources like plugins do and besides you don’t need any updates for it unless you are willing to white-list more IP Addresses.
Method 1 – Via .htaccess
.htaccess blocks will prompt an infinite redirect loop that will automatically be terminated by a browser in case an IP address not authorized to access WordPress admin login page is trying to access it. Before opting for this method you should make sure you list down all the IP addresses you want to access your back-end. Simply open your .htaccess document and add the code below in it. In case you don’t see the .htaccess file then make sure you enable the option to show hidden files on the root of your server. This file is hidden in most cases.
#By Marky WP Root Directory to deny entry for WP-Login & xmlrpc <Files wp-login.php> order deny,allow deny from all allow from IP allow from IP allow from IP allow from IP </Files> <Files xmlrpc.php> order deny,allow deny from all allow from IP allow from IP allow from IP allow from IP </Files> #End WordPress
Don’t forget to substitute ‘IP’ with your IP address. If you don’t know your IP address click here to check. The code above will block unauthorized access to the wp-login file and xmlrpc file from un-authorized IP address. However, this is just the first layer. To completely block out access you have to create a new .htaccess file in the Wp-admin folder and add the following code in it.
#By Marky WP Admin Folder to deny entry for entire admin folder order deny,allow deny from all allow from IP allow from IP allow from IP allow from IP <Files index.php> order deny,allow deny from all allow from IP allow from IP allow from IP allow from IP </Files> #End WordPress
Same with the code above. Don’t forget to substitute ‘IP’ with your IP address. This code will complete the layer of blocking the entire Admin folder from any un-authorized IP addresses. If you add the two codes above in the respective .htaccess files then no IP address apart from the ones on the white-list will be allowed to access WordPress back end.
Method 2 – Using Plugins
A few plugins can help you block WordPress back-end access, limit login attempts or do both. The plugins i would recommend are:
- Wordfence. Wordfence is so far the best recommended plugin to block WordPress back-end access. You can limit Login attempts, block countries and IP addresses from accessing your back-end (premium feature). It’s available in both paid and free plans and i recommend you give it a try.
- IQ Block Country. IQ Block Country can help you block countries and IP addresses from accessing your back-end but unfortunately it can’t limit the login attempts. It’s a very good plugin and it works well.
- WP Limit Login Attempts. WP Limit Login Attempts will help you limit login attempts to your dashboard. The the maximum attempts are exceeded an IP address is locked out for sometime before gaining access again. I suggest you set the limit to 2 or 3 and set the maximum lockout period for locked out users.
In fact to completely block WordPress back-end access and make it impossible for a hacker to gain access is by using these two methods together. The .htaccess method can be the first layer, then the second could be country blocking and lastly limited login attempts with a maximum lockout period for a user who has exceeded the maximum number of attempts. This way, a hacker has to go through three layers to gain limited access which is impossible.