How to hide your WP-admin Directory from the World: WordPress Tip

on March 30, 2011 | WordPress | Comments (10)

Here is a useful WordPress tip/ hack that will not only increase the security of your blog, but also make it look more professional in my opinion.

Often I am looking at a nice website, that I think it may be built on WordPress. To check this people often enter wp-login or wp-admin at the end of the URL to check if indeed the site is a WordPress setup.

I don’t think having the general public accessing this link is particularly professional or secure, unless you have your wp-admin area on a SSL encryption which is not realistic unless you have a high traffic / money generating website.

I have noticed in my website logs many people are hitting my wp-login or wp-admin pages. I would prefer if this doesn’t happen.

There are many ways to stop people accessing this by hacking/recoding various WordPress files, but in my opinion this is getting a bit messy, especially should you want to revert the changes at a later date.

An easier way to achieve blocking access to wp-login and wp-admin is by adding a new .htaccess file to the root of your wp-admin folder.

Note: wp-admin folder NOT blog root.

Here are the steps:

1. create a new .htaccess file using notepad

2. drop the following code into the file;

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Example Access Control”
AuthType Basic
order deny,allow
deny from all
allow from
allow from

3. Where you see xxx – replace this with the IP addresses you would like to allow to the wp-login and wp-admin.

One IP address on each line

You can add multiple lines of: allow from
This would be useful if you have multiple places you login from, or have multiple authors posting content/ articles.

4. Upload the .htaccess file to the root of your wp-admin folder
This is very important, don’t upload it to the root of your webhost of you may break your blog.

And you are done!

I hope you find this tip useful. If you have any alternative suggestions or comments – please do let us know.

David Cowling : Editor and Founder of I also run a Social Media Agency where I do consulting work and another blog dedicated to Instagram news. Connect with me: Twitter | LinkedIn | Google + or contact me here. Alternatively, you can send me an email at

  • Pingback: WordPress 3.1.1 released, Security and Performance Improvements()

  • Gerard

    Hi David,

    Nice code you show here chapeau, I just have 2 questions.

    1) Does this work for WP 3.2.1

    2) Is it possible to allow (from) by username instead of ip?

    Thanks in advance.

  • Hi Gerard,

    1. Yes it works on all WordPress versions

    2. Not sure this would be beneficial, if you have usernames that shouldn't login – either delete them or close registrations.

    I've found blocking by only allowing select IPs to access WP-Admin is most appropiate.

  • Hi David.
    I think this is a very good solution for those of us who have a unique IP , however this wouldn´t be comfortable enough for users who normally access their control pannel from elsewhere from home, office or a café…

    Do you have an alternative solution for example to mask the wp_admin by redirecting intrusers to another page like the 404 page.

    Thnks a lot.

  • Chris

    This didn't work for me, I am however using WP 3.3.1 Please advice…

  • sushil


    How can i rename wp-admin name to admin using .htaccess?

    can anyone guide me…

    i have :-

    # BEGIN WordPress

    RewriteEngine On
    RewriteBase /
    RewriteRule ^index.php$ – [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d

    # END WordPress

    now i write wp-admin to go admin side so i want to write admin instead of wp-admin to go admin site..

    Kindly note that i have used many plugins so .htaccess will not reflect on the code…….

    Sushil Chauhan

  • Haseeb Ahmad Ayazi

    nice.. very useful WP sec tip

  • Haseeb Ahmad Ayazi

    nice.. very useful WP sec tip

  • Awersome, great tips bro

  • Awersome, great tips bro