Simple step to secure the wp-admin directory
Security should be high in everybody’s mind when running WordPress as blog software. Although vulnerabilities are usually quickly fixed, the open-source nature of the code makes it easier for would-be hackers to find flaws.
The risk of having to re-install a breached installation should encourage anyone to take the following simple steps in order to make their wp-admin folder far more secure.
IP based restriction
If you run a small WordPress blog, you are probably the only one who needs access to the administration folder. You can therefore take one very simple step to tighten your wp-admin folder security to a very high level by only allowing its access to a single IP.
IP addresses are a set of numbers assigned to you by your internet provider when you surf the internet. It is fairly easy to find out your IP address by going to websites such as What’s my IP.
With that information, you can restrict access to the wp-admin folder to anybody else. Simply copy the following code in a .htaccess file:
order deny,allow deny from all allow from xxx.xxx.xxx.xxx
Replace the xxx.xxx.xxx.xxx by the numbers given by the what’s my IP website and upload the file in your wp-admin folder (NOT your root folder).
This step will help secure your wp-admin folder a lot more than any other you could take, however the more layers of protection you add, the less likely things will go wrong. There are plugins that help secure the login / admin area like the popular Login Lockdown. You can also enable HTTP authentication on your wp-admin folder which adds another level of security.
IP based restriction has some limitations that you may need to be aware of:
- you need to keep the .htaccess file up to date: most internet providers don’t assign you a static IP address, so you may have to update your .htaccess details once in a while;
- you need the IP address of anyone who needs access to the administraction folder: simply add a new allow from xxx.xxx.xxx.xxx to the .htaccess file. This includes yourself if you want to have access to wp-admin from your home and your office;
- IP access restriction doesn’t protect you against host vulnerabilities if another account on your shared platform is compromised.
- nor does it protect you against someone who is on the same IP or someone who finds out / spoofs it;
Despite those limitations, the additional security IP-based restriction provides makes it a worthwhile security measure every WordPress blog owner should use.