Title: Login Security – a simple method
Last modified: September 21, 2016

---

# Login Security – a simple method

 *  Resolved [litody](https://wordpress.org/support/users/litody/)
 * (@litody)
 * [9 years, 7 months ago](https://wordpress.org/support/topic/login-security-a-simple-method/)
 * This is not for everyone but I think for the vast majority of people it should
   work exceptionally well.
 * My method of protecting against hackers attempting to log in to our wordpress
   site is as follows:
 * Firstly:
    in the root folder of your wordpress installation ( the folder where
   you find wp-login.php ) you should find a .htaccess file. Edit (or create one
   if there isn’t one ) and put the following lines in it:
 *     ```
       <FilesMatch wp-login.php>
        Order deny,allow
        Deny from All
        allow from 123.123.123.123  #( this is the IP number you want to give access to )
       </FilesMatch>
       ```
   
 * you can add as many “allow from nnn.nnn.nnn.nnn” lines as you need for different
   IP numbers.
    This will stop everyone except those IP numbers from using your 
   wp-login.php to get a login screen.
 * Secondly:
    go into your wp-admin folder and create another .htaccess file and
   put the following lines in it:
 *     ```
       <Limit GET POST>
       order deny,allow
       deny from all
       allow from 123.123.123.123
       allow from 127.0.0.1
       </Limit>
       ```
   
 * again you can put as many “allow from nnn.nnn.nnn.nnn” lines in as you need.
   
   This will stop everyone except those IP numbers from issuing a GET or POST on
   everything in your WP-Admin folder and sub folders.
 * the IP 127.0.0.1 is only required if you are running a test site on a local setup
   using localhost.
 * **The Pros:**
    Highly effective and stops every hacker and robot in its tracks!!!
   You don’t need to mess with plugins. You don’t need to re-implement everytime
   you update wordpress version since the files don’t get overwritten. (they are
   not part of wordpress installation)
 * **The Cons:**
    You must have access to your .htaccess file. i.e. an apache or
   derivative webserver. If you don’t have a static IP and are using a dynamic IP
   or wifi connect to get to wp-admin then it may not be for you. However, you can
   usually find the IP range/s that your ISP use and you can put those in to get
   round the problem that your IP may change. You can use CIDR IP range format so
   for example you can put:
 * allow from nnn.nnn.0.0/16
 * which limits access to a small range of known IPs from your ISP and shuts out
   the rest of the world.
 * Wifi access away from office or home is probably a non starter for using this
   security methodolgy since IP could be anything. But from a home or office router
   wifi then it should work OK I think.
 * Where it works best is for limiting access to only a handfull of known IP numbers
   or an office where everyone is on the same external IP number.
 * We have only two peple who can use Admin. One in office which is using a dynamic
   IP so is set to range that ISP uses and my own which is static IP.
 * Hope this was / is the right place to post this and that some may find it useful.

The topic ‘Login Security – a simple method’ is closed to new replies.

## Tags

 * [wp-admin](https://wordpress.org/support/topic-tag/wp-admin/)

 * 0 replies
 * 1 participant
 * Last reply from: [litody](https://wordpress.org/support/users/litody/)
 * Last activity: [9 years, 7 months ago](https://wordpress.org/support/topic/login-security-a-simple-method/)
 * Status: resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics