If your server is struggling to handle brute force or bot attacks targeting WordPress wp-login.php, you can block all access server-wide, and allow only specific IPs to access the login page.
๐ Block Access Server-Wide
- Create a
.htaccessfile in a neutral directory like/home(outside of user accounts):
nano /home/.htaccess- Paste the following to block access to
wp-login.phpglobally:
<Files ~ "^wp-login.php">
Order allow,deny
Deny from all
Satisfy All
</Files>
ErrorDocument 403 "Not acceptable"- Use cPanel or your Apache config to apply the global
.htaccess, or manually include this block in each WordPress site if preferred.
โ Allow Access for Legitimate Users
Instruct legitimate users to manually whitelist their IP addresses by editing the .htaccess file inside their WordPress root directory.
- In the WordPress siteโs root
.htaccess, ask them to insert this:
<Files ~ "^wp-login.php">
Order deny,allow
Deny from all
Allow from x.x.x.x
</Files>Replace
x.x.x.xwith the user’s public IP address.
- Multiple users can be allowed by adding multiple
Allow fromlines.
๐ Notes
- You may also consider limiting access to
/wp-admin/if needed, using the same method. - Be aware that some WordPress plugins and AJAX calls may require access to
admin-ajax.php. Block only whatโs necessary.