How to Limit Access to WordPress Admin Directory?
WordPress currently powers more than 60 million websites which makes it the most popular CMS. Since popularity draws both good and bad attention, WordPress sites tend to experience 90000 hack attempts every minute of the day. When it comes to site security, unfortunately, there is no silver bullet that’ll provide security on all fronts. Rather one has to do many things, implement security at various fonts to ensure their site is safe from hackers. The process of adding different layers of protection is called the layered defence. Earlier we spoke of protective measures like using HTTP authentication, two-factor authentication, using strong username and passwords. Today we are learning another method of protection in which you’ll limit access to WordPress admin directory.
The WordPress admin directory is where the core WordPress files reside. The files in there enable users like yourself to execute various administrative functions. For instance, when you are trying to log in to the dashboard, WordPress checks whether the credentials that you have provided are correct, or whether you are an admin or a simple contributor with limited access to the site. The files in the wp-admin folder enable WordPress to carry out these functions.
When hackers get access to your site, they may modify the files to further their own motives. They may start dictating who gets access to the site and who doesn’t. There is a real possibility that they might block out admins and the website owner. You could lose access to your own site. This is why taking early precaution is mandatory. Limiting access to WordPress admin directory restricts hackers from taking over your site.
The easiest way to explain how the limitation works are through an analogy. If your website was a house and then the door to the house is your WordPress admin directory. Now if you deploy a guard at the door, it further secures your home (read, the site). The guard is responsible for checking the (read IP address) of every visitor and then allow or deny access into the house (i.e. website). In this post, we’ll show you how to limit access to WordPress admin directory using IP Address. This essentially means that you’ll be blocking off only specific rogue IP addresses from accessing the admin directory of your WordPress site.
Before we begin, it’s important to note that you need to make sure that your IP Address is static. If you are not sure about your IP address, we suggest you do a Google search or talk to your internet provider.
Limit Access to WordPress Admin Directory:
To begin, you’d first need to download the .htaccess file from your File Manager. Follow the steps below:
Log in to your web host account and go to a page called cPanel. There you should be able to find an option for File Manager. Select that, and a page will open that would look something like this:
Step 2: This is a typical file manager page. On the left-hand side, there are a bunch of folders. Select public_html, and you’d see a drop-down.
Step 3: In the drop down there will a folder called wp-admin. You’ll find a .htaccess file in this folder. You’d notice that unlike other files in the directory, .htaccess has no extension like .html or .txt. or PHP.
Step 4: To download the .htaccess file all you need to do is download the file using a download button on the File Manager page. It should look something like the image below:
Sometimes .htaccess is hidden and may not appear in the public_html folder. When that’s the case, what you need to do is go back to the cPanel, and click on File Manager. A popup will appear where you’ll have to select ‘Show Hidden Files’.
In case, you find out that your website does not have a .htaccess file, you’ll need to create a new one.
After you have downloaded the .htaccess file, open it. It should look something like the picture below:
Step 5: At the end of the .htaccess file, add the following code:
order deny, allow allow from your.IP.address deny from all
Note: Place the IP address that you want to blacklist instead of ‘IP.address.1’ and ‘IP.address.2’.
Step 6: After you are done, you will need to upload the file in the public_html directory in the File Manager. There should be an Upload option in the File Manager page.
After you upload the file, the IP’s you mentioned will be blocked. When these IP addresses try to access your site, they’ll see a ‘403 Forbidden’ error on the page.
Make sure that the .htaccess file you modified was from the ‘wp-admin’ directory and not the root directory (i.e. public_html) of your WordPress. There is a .htaccess file in the root directory, and we are not making any changes in that. If by mistake, you modified the .htaccess file in the ‘wp-admin’ directory, then all visitor to your site will be blocked. You don’t want that. Therefore we’d recommend you to be very careful.
There is one issue that may crop up when you limit access to WordPress admin directory using IP. It breaks the front-end Ajax functionality. This particular functionality enables web pages to show real-time changes. For instance, you may be using a plugin that allows Twitter feed on your site. Every time you tweet something, it automatically appears on the site. You don’t need to reload the page to see the tweet. This is possible due to the Ajax functionality.
To avoid breaking the front-end Ajax functionality, you’ll need to find out if any of your plugins use Ajax in the front end. If yes, then you’ll have to add the following code to your .htaccess file from the wp-admin directory.
<Files admin-ajax.php> order allow, deny allow from all satisfy any </Files>
And that’s it.
Over to You
In order to limit access to WordPress admin directory, you’d have to have a bit of knowledge about WordPress files. We hope that after reading this post, your site will be a bit more secure than it was before. Please contact us if you have any queries or feedback. And thanks for reading.
Sufia is a WordPress enthusiast, and enjoys sharing their experience with fellow enthusiasts. On the MalCare blog, Sufia distils the wisdom gained from building plugins to solve security issues that admins face.