Locking WordPress Admin Login with .htaccess Rules Updated on September 11, 2024 by InMotion Hosting Contributor 2 Minutes, 43 Seconds to Read If you are a website administrator, security should be at the top of your list. That’s why your first step should be to work with InMotion’s WordPress Hosting team to get your website up and running. After that, you can lock down the WordPress admin login with some .htaccess rules to prevent unauthorized login attempts. How to Locate Your .htaccess File in cPanel’s File Manager This guide will show how you to limit WordPress admin login attempts by IP address, or referrer. Below we’ll show you, how to get to your .htaccess file, and what edits to make, to limit WordPress admin logins. But first, we’ll show you how to find your .htaccess file in the cPanel File Manager. Log into your cPanel. Find the Files category and click on the File Manager icon. Click Settings at the top right corner. Select the Document Root for your domain and check the box next to Show Hidden Files. Click Save. Right-click the .htaccess file and select the Edit option. If you have a text editor encoding dialog box pop up, simply click Edit. How to Restrict WordPress Admin Access The following rules should be placed at the very top of your .htaccess file. Secondary WordPress admin .htaccess password (Recommended if your IP changes) A Single IP Address Multiple IP Addresses Dynamic IP Address Access Single IP Address Access You can check your IP to get your computer’s IP address. If you are using CloudFlare or a DNS level filtering service, this method won’t work, you’ll want to setup a secondary WordPress .htaccess password for protection instead. To allow access from a single IP address, replace 123.123.123.123 with your own IP address: RewriteEngine on RewriteCond %{REQUEST_URI} ^(.*)?wp-login.php(.*)$ [OR] RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$ RewriteCond %{REMOTE_ADDR} !^123.123.123.123$ RewriteRule ^(.*)$ – [R=403,L] Multiple IP Address Access You can check your IP to get your computer’s IP address. If you are using CloudFlare or a DNS level filtering service, this method won’t work, you’ll want to setup a secondary WordPress .htaccess password for protection instead. To allow access from multiple IP addresses, replace 123.123.123.xxx with your own IP addresses: RewriteEngine on RewriteCond %{REQUEST_URI} ^(.*)?wp-login.php(.*)$ [OR] RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$ RewriteCond %{REMOTE_ADDR} !^123.123.123.121$ RewriteCond %{REMOTE_ADDR} !^123.123.123.122$ RewriteCond %{REMOTE_ADDR} !^123.123.123.123$ RewriteRule ^(.*)$ - [R=403,L] Dynamic IP Address Access, Limit by Referrer If your IP address changes, you can protect your WordPress site by only allowing login requests that come directly from your domain name. Simply replace example.com with your own domain name Most brute force attacks rely on sending direct POST requests right to your wp-login.php script. So requiring a POST request to have your domain as the referrer can help weed out bots. RewriteEngine on RewriteCond %{REQUEST_METHOD} POST RewriteCond %{HTTP_REFERER} !^https://(.*)?example.com [NC] RewriteCond %{REQUEST_URI} ^(.*)?wp-login.php(.*)$ [OR] RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$ RewriteRule ^(.*)$ - [F] Wait at least 15-20 minutes, and try to log into your WordPress site again. If you try to access the WordPress dashboard within the 15 minute window of a block, this could extend the block longer. It’s important to wait for the previous block to expire and be patient before attempting to access your WordPress site again. You should now be blocking unauthorized WordPress admin login attempts utilizing .htaccess rules. Share this Article InMotion Hosting Contributor Content Writer InMotion Hosting contributors are highly knowledgeable individuals who create relevant content on new trends and troubleshooting techniques to help you achieve your online goals! More Articles by InMotion Hosting Related Articles Optimize WordPress Guide: Tuning for VPS & Dedicated Servers How to Backup WordPress with the BackWPup Plugin Learn How to Install and Use Mailchimp in WordPress How to Create and Manage 301 Redirects in WordPress How to Add PayPal to WordPress Website Using Video Conferencing with Zoom – WordPress Plugin Create a WordPress News Website with the WP News and Scrolling Widgets plugin Getting Started: Constant Contact Plugin for WordPress Install and Use the Advanced Editor Tools WordPress Plugin The Yoast SEO Plugin: Optimize Your Website to Boost Traffic
I was having problems with membership levels and thought that it was restrict access pro that was causing the problem so I deleted both plugins and now I cannot access the dashboard nor login in to my website. Can you help me? Thanks.
Hello, Unfortunately, your issue is nothing we can identify with the information given. I am unable to see your site or locate an account. Did you remove the plugins via the dashboard or did you delete them in the file structure? What type of errors are you getting when trying to log into the wp-admin? Kindest Regards, Scott M
After clicking “edit,” I have no idea what this article is talking about. I don’t see something similar on the screen it’s referring to, and I’m so unfamiliar with this type of thing that I’m just totally over my head.
Hi Staff, I am attempting to use the trusted referrer option and I am still not able to login. The site is www.readysetloan.com. I cannot figure out what I am doing wrong and have been locked out since Thursday. Thank you – Eric
The referrer option disallows bots from sending POST requests directly, however, if the brute force attacks are fully hitting your wp-login.php page, this will not work. I recommend allowing by IP if you continue to experience issues. Keep in mind that it can also take about 15 minutes for the block to be lifted after putting the protection in place.
Just a bit more specificity for those unfamiliar with code. I was attempting to block false login attempts on my site from a brute force attack and the file stated to use the IP address at the top of the document — I didn’t know if that meant at the very top of the document or under the comments of the document.
Very frustrated. I’ve done: secondary password protection of the wp-admin directory and referral restrict in htaccess. I don’t have admin as a username, yet still I get locked out constantly; often when in the middle of working on something. The plugin to “hide” the wp-admin directory doens’t work well, but has been tried to see if it would help as well (still got locked out then, too). I’m have a VPS acount. I look at the raw acces logs in cpanel and never see any sort of major attack of wp-login.php. At most there’s 5 or 6 POST attempts and then you block… don’t you think it’s a bit too agressive to be locking out clients when there’s that few attempts? How about giving some leeway, eh? Especially for VPS accounts that are supposed to have dedicated resources so these attacks don’t impact anyone else on a shared server.
If you like, you may contact technical support in which they will be happy to remove the security measures that are locking you out. Of course, continue locking down your WordPress admin with a secondary password as well.
Hello, thanks for this article. I understand that wp-admin is actually a folder in WordPress, so if we add this code, won’t it lock down the whole directory and not just prevent people from accessing the wp-admin login page? Thanks in advance for your advice.
The wp-admin directory only contains content that would be accessed on the admin dashboard so it would not affect the main content of your site at all.
That makes sense Jeff, I use WP as content management for this dynamic site so I tried https://kissthesky.net/blog/wp-admin it then redirected to https://kissthesky.net/blog/wp-login.php?redirect_to=http%3A%2F%2Fkissthesky.net%2Fblog%2Fwp-admin%2F&reauth=1 and displayed the same message ‘WordPress Login Temporarily Disabled’ Where to from here?
You need to lock down the blog itself within your .htaccess. So, you will need to place the .htaccess code within the .htaccess file that is located inside the blog directory. After 15 minutes, you will then be able to log in again.
Hello Tony, I took a look at your login and it is appearing for me. It may have been blocked temporarily (typically 15 minutes) in order to stop brute force attacks. Make sure to review the article above for more information on how to secure your WordPress login. By the way I was using the following URL: https://kissthesky.net/wp-admin Make sure to clear your browser cache before trying to login again. Please let us know if you continue to have difficulty logging in. Kindest regards, Arnel C.
Jeff, I was able to edit the file as you suggested but now when I attempt to log in using https://kissthesky.net/wp-admin I get the 404 error message.
This is because the website is not created using WordPress, so it will not contain a wp-admin directory.
Hi Tony, You might end up with a blank .htaccess file in WordPress if you haven’t yet gone to Settings/Permalinks and set and saved the permalink setting you want to use. WordPress doesn’t generate the .htaccess info until you do that. If for some reason WordPress can’t write to the .htaccess file, you should get a notice warning you of that and also the code to copy and paste into your .htaccess file manually.
I have attempted to edit a client’s .htaccess file following instructions and the file is totally blank. There is no code to apply the Trusted Referrers fix to. Client’s url is kissthesky.net which is a addon domain to stevesalmostfamous.com Thanks in Advance
To apply this, you will need to copy the entire block of code mentioned into your .htaccess file and adjust it based on their specific information.
Insert at beginning of htaccess file. RewriteRule ^login$ https://YOUR_SITE.com/wp-login.php [NC,L] Just replace the login keyword with one of your choice and your website’s URL.
Hello Matt, Sorry to hear that you’re having problems with the login. Since you did not give us any account information, we could not check into the matter for you. If you want us to investigate, please give us at least a domain name or account user name. If your site is being hit by the brute force attack, then you may not be able to access the admin until you implement one of the suggestions listed above (and then waiting 15 minutes). Remember that posts here are public domain. If you would prefer the matter to be handled privately, then please contact our live support team as per the contact information at the bottom of the page. Kindest regards, Arnel C.
I have a number of WP sites which are in folders in my public_html folder. Each site is also running its WP from a folder. i.e. xyzxyz.com/qrgf/wp-admin/wp-login.php I’d like to use the Referrer method above. What’s the best way? Also, would it be preferable to put this in the .htaccess file that’s *above* my public_html folder? Could I put the Referrer for *all* of my sites there? (So they’d all be in one place)
You could simply place a single block of code within your .htaccess file in your public_html directory that covers all sites. As long as you don’t have any additional rules in deeper folders that could counteract it, everything can work directly within a single file. It would look something like this: RewriteEngine on RewriteCond %{REQUEST_METHOD} POST RewriteCond %{HTTP_REFERER} !^https://(.*)?example\.com [NC] RewriteCond %{HTTP_REFERER} !^https://(.*)?example\.com\/somethingelse [NC] RewriteCond %{HTTP_REFERER} !^https://(.*)?example\.com\/anothersite [NC] RewriteCond %{HTTP_REFERER} !^https://(.*)?example\.com\/additionalsite [NC] RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR] RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$ RewriteRule ^(.*)$ – [F] Be sure that you place each site that you are running in here or else you will get access denied errors on them.
I’m using the “Dynamic IP address access, limit by referer” method yet I am still getting block out of admin. This is the exact text in my .htaccess file: <IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{REQUEST_METHOD} POST RewriteCond %{HTTP_REFERER} !^https://(.*)?shadeofthebodhitree\.com [NC] RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR] RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$ RewriteRule ^(.*)$ – [F] </IfModule> What am I doing wrong?
This disallows bots from sending direct POST requests to your WordPress admin, but if they are actively visiting your login page, they will still be able to launch brute force attacks. I recommend blocking based on IP, or using a secondary password here if you are still being locked out.
Help I have been locked out of my blog for several days and cannot reach my dashboard to make the changes suggested here. the site is https://oakridgecameraclub.org/president/ any help would be appreciated. It appears I will need some help from the staff
Hello rob, Sorry to hear about your troubles. As a test, I was able to access your admin login page using the Single IP method. Make sure you are adding the code to your .htaccess file located in the root of your wordpress installation: public_html/president/ If you have any further questions, feel free to post them below. Thank you, -John-Paul
Unfortunately WooCommerce customers need to access wp-admin.php for some reason so an additional username and password won’t work for me. In fact whenever these blocks happed I think my customers are locked out from completing purchases. I guess they’ll just go elsewhere.
Instead of locking down with a secondard password, you could lock down your WordPress admin by referrer (under the heading “Dynamic IP address access, limit by referer”) which would prevent users from directly sending POST requests and allowing your users to still access their accounts.
Your instructions, above, are flawed. They read: To allow access from a single IP address, replace 123\.123\.123\.123 with your own IP address But that’s not correct. You can’t simply plug in “your own IP address”—you also have to insert slashes.
Hello Mary, It should work in most cases either way you type in your IP address: 123\.123\.123\.123 123.123.123.123 Both methods of typing in an IP address should be valid for an .htaccess file. I see from you account notes that you might have also had an extra space throwing the rules off. Thanks for leaving this comment. I’ll see about updating the article to make it a little more clear how to enter in your IP address, but I’m also almost done working on a WordPress plugin that will allow our customers to easily implement these security recommendations on their own automatically without issues. Thanks again, and please let us know if you had any other suggestions! – Jacob
Hello suryandh, To map your WordPress admin to a subdomain insead of being at /wp-admin, you would use the folloeing within your .htaccess file: # Redirect sub folders to sub domains RedirectMatch 301 ^/wp-admin/?(.*)$ https://admin.domain.com/$1 Of course, modify the domain to what you will be using within your site. You will also need that subdomain set up within your account there as well.
I have a problem….. plz tell me htaccess rule to set up a wodpress management server to a subdomain like admin.subdomain.com . And URL should be stored in database(RDS Mysql server)i am using aws server and cloudfront DNS ,CDN,WP super cache plugin to access wp-content by n wordpress servers…… Plz mail me asa fast as possible……..
The reason that you may not get this error when the installation is in another directory is because the bots may not be targeting the subdirectory at this time. It is possible that this can indeed happen to sites on those directories as well, so it is best to still set a secondary password within your .htaccess file.
Hello jkwalz108, The fix you are using is for when “the brute force attack that is taking place relies on sending direct POST requests right to your wp-login.php script,” but if your site is accessed directly, then the wp-admin is requested it will still allow attempts through. A better option for you would be to use a “Secondary WordPress admin .htaccess password (Recommended if your IP changes)”, or the Multiple IP addresses” method. If you have any further questions, feel free to post them below. Thank you, -John-Paul
I have implemented the “Multiple IP address access” method on all my domains yet I am still getting locked out of my admin. Does this method no longer work? Here is the exact text I have at the head of the .htaccess file: RewriteEngine on RewriteCond %{REQUEST_METHOD} POST RewriteCond %{HTTP_REFERER} !^https://(.*)?shadeofthebodhitree\.com [NC] RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR] RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$ RewriteRule ^(.*)$ – [F]
Hello ThePurpleTide, and thanks for your comment. Typically we wouldn’t recommend turning off ModSec as it will protect your website from other attacks and not just the WordPress brute force ones. It’s kind of a last resort if you really need to get back in to your WordPress admin dashboard and have been having issues with our ModSecurity rules continuing to trigger. If you wanted to test the limit by referer method in your .htaccess file, you would need to create an HTML form with the method set to POST and the action set to your wp-login.php file of your website. It would look something like this: <form method="POST" action="https://addondomain.com/wp-login.php"> <input type="submit"> </form> You would get a 403 forbidden error if the .htaccess rules were applied correctly. You could then hit refresh on the page and it should show your normal wp-login.php page, as you would only be restricting POST attempts to the page, and when you hit refresh that is simply a GET request. We also actually recommend setting up a secondary WordPress .htaccess password for the best level of protection. Please let us know if you had any further questions. – Jacob
Hi, I just implemented the “limit by referer” method in my .htaccess file, but before I turn off Modsec, I want to be sure my implementation works. How can I test this? Furthermore, I noticed that this solution only promises to address the current botnet, which uses direct POST requests. Is there any way we can be prepared for future modes of attack, or is this a watertight solution for any eventuality?
Hello coffeehauscat , and thanks for your comment. Using the IP address restricting method that is discussed in this article is best suited for when you have the same IP address consistently, or at least rotate through a few common ones. Being that it sounds like you’d be accessing your WordPress admin dashboard from more than likely dynamic IP addresses, while you could keep figuring out your IP address by using our IP lookup tool and updating your .htaccess rules to let the new IP in. You will probably find it much easier to instead prevent WordPress login attempts with a .htaccess password. That way you’d simply enter the username and password you set, and then no matter what your IP is it will bypass the .htaccess block, and give you the normal WordPress admin dashboard login. I went ahead and set this up for you to speed up the process, and all you’d have to do now is just open up your /public_html/.htaccess file and you should see I left you a note at the top with what I set the username and password to. If you’d like to use different credentials, then you can simply follow the steps in that other article and create an additional user. I hope that helps you out, and please let us know if you had any other questions at all! – Jacob
I was wondering how the ip address lock down affects me using my iphone wordpress app, or using my laptop to login from a library? Is there a way to find out my iphone ip address? does this change depending on who’s wifi Im using? Are there any other security measures I could take ?
Hello again Kdemerly2! The options above are widely considered to be viable options to helping to lockdown your WordPress login. If you are using the referrer method (which is what I saw in your .htaccess file), then you should make sure that you login using the url like this: https://jeffchoirs.org/wp-admin . The referrer method of blocking is used because the automated scripts in many of the attacks are using the direct path to the login page. The script used in the attacks will not normally use a the domain name, but it can happen which may be why you’re seeing your page often blocked. I would highly recommend the IP method if it continues to be an issue. This would prevent you from continually being blocked by simply typing in your site URL. I understand how frustrating this can be trying to get into the WordPress page – hopefully, using the IP method will keep you safer. Using Cloudflare is a viable option if you wish. It adds a little complexity to the setup, but they are free and they offer other services which may be helpful to you. We also have documentation for the setup here: Cloudflare setup. If you continue to have any problems, please let us know if you require further assistance. Regards, Arnel C.
Hello Mcsiler, I’m sorry for the frustrations that you’ve been having with your WordPress site. One of our Tier2c techs (Shawn C.) has been looking at it and finally cracked the issue. The problem was with your caching plugin. It needed to be cleared as it was basically causing the connection issues for the database. Once that was done, the page came up beautifully. If you ever need to disable plugins, there’s a guide we provide that can help you do it real quick so that you can eliminate/identify them as the possible cause for your WordPress problems: Disabling WordPress plugins. Otherwise, please let us know if we can help by posting another question! Thanks for your patience! Regards, Arnel C.
Hello Kdemerly2, The “” is required in order to recognize the period in between the domain name and it’s extension. Iso the 404 for the the link you provided. The problem is that the page does NOT exist. So if you’re typing it in directly, there’s no such folder in your directory. If you’re getting a 404 elsewhere, I need to see the URL for it. WordPress generates the URLs for pages that are in it – they will not be the same as the title of a page that you may have created directly in WordPress. You can create custom permalinks, using the permalinks option in WordPress, but you can’t simply create a url for a single page. I hope that helps to explain it. The URL that you provided indicates that there should be a subdomain/folder named “varsity-singers” and there isn’t one. That’s the reason you’re getting the error message. Create one, add some website files in there, and you’ll see it appear with no problem. I hope that helps to clear up that issue! Let us know if you’re still having any specific problems. Regards, Arnel C.
And after waiting, I can now log back in to my WordPress site. So, while I was happy to lock it down using the steps listed above, it did not seem to work for me. I can certainly utilize Cloudflare if that’s a viable option.
When I go to that page https://jeffchoirs.org/varsity-singers.html/ I get: “This is somewhat embarrassing, isn’t it? It seems we can’t find what you’re looking for. Perhaps searching, or one of the links below, can help.” I don’t know where the disconnect is, but my WordPress page for Varsity Singers isn’t jeffchoirs.org/varsity-singers.html/.
Hello Kdemerly2, The way you put the link in won’t be recognized correctly. Try this: https://jeffchoirs.org/varsity-singers.html/ You’ll see it everytime that way. When you leave off the “.html” server is looking for a subdomain or folder that does not exist. When I looked for that, I did not see, so that’s why I thought there was no such location. The link works from WordPress most likely because it’s linked TO the .html page. Anyways, if you’re going to go directly to an html page in your directory, then you would need to provide the extension in the URL. Regards, Arnel C.
The page exists! It was there until I put in your code. If you go to that page again, you’ll see that it works now – because I removed your code and put back what was in there a few hours ago before I tried this update. https://jeffchoirs.org/varsity-singers/ But now I’m locked out of the login again. *sigh*
I had that backslash in there originally, and it still prevented me from even accessing my pages outside of logging in. That’s when I tried removing it, thinking maybe it was the cause. Isn’t that just supposed to prevent login issues? Why can’t I get to https://jeffchoirs.org/varsity-singers/ without logging in? Why do I get a 404 error when I’m not even logging in to that page? Thanks for your prompt response, btw!
I’m STILL having issues – no website at all and cannot even access the dashboard on wordpress! longbeachlpa.com. Apparently someone is working on it, but I have never ever had these issues with any website until this year on Inmotion – getting very very frustrated.
Hello Kdemerly2, Sorry to hear about the problem you were having. Thank you for providing a link so that I could find the account immediately! I looked at the .htaccess file that you edited and you missed one little backslash that’s supposed to go before the period in ‘.org’. I went ahead and fixed it for you. Give it another 15-20 minutes, and then try to login again. Apologies again for the issues – hope this fixes it for you! Regards, Arnel C.
I followed the steps (using the referrer method), and now not only can I not log in, all of my pages (excpet the homepage) are showing 404 errors – even when I’m just browsing the site. https://jeffchoirs.org/
Hello Mcsiler, I’m sorry to hear you are having problems with the admin login. Unfortunately, this issue isn’t something that just simply goes away and never comes back. If your website was specifically targeted, then the botnet may subside for a bit, and then come back later with more attempts to hack your login. The lockout doesn’t mean your website is “hacked”. It means that an attempt to attack your site was stopped and the lockout occurs because of failed attempts to login to your WordPress admin. Please allow the time for the lockout to pass (15 minutes) and then try to log in again. If you continue to have login problems, please either contact our live technical support staff, or provide us more information on the URL you’re having the problem with so that we can investigate the issue in more depth. Kindest regards, Arnel C.
This has happened COUNTLESS TIMES and it gets me in, but then a few days later it is supposedly hacked again. This does not happen to ANY of my other sites, just one.
Hello Camhawk, I was trying to say use the “https://example.com/wp-admin” path so that the referrer rule in .htaccess recognizes it as a legitimate access to the Administrator dashboard. When you implement the .htaccess rule, you should give it at least 15-20 minutes before trying to access it again. As per step 9 above: “Unfortunately even if you simply try to access the WordPress admin dashboard, still within the 15 minute window of a block, this could extend the block an additional 15 minutes, so it’s important to wait for the previous block to expire before attempting to access your WordPress site again.” After you’ve waited, make sure that access to the Administrator dashboard is occurring through the link using “http;//example.com/wp-admin” (but “example.com is replaced by your name). If the problem with the login continues, then you may need to use the multiple IP option. Please let us know if the issue persists and we can investigate it further. Regards, Arnel C.
Thanks, but I seem to be struggling with your explanation. – When you say “Give your members a URL shortcut using the domain URL” do you mean create a URL like this (https://www.example.com/login) when linking to the login page and have it NOT redirect to the wp-login.php, i.e. so it stays on /login I have done the above without using .htaccess, but when I add the .htaccess referrer rules it starts redirecting my /login page to wp-login.php and eventually locks me out again. Any further help much appreciated.
Hello Camhawk, Thanks for the question! If you have many members logging in and you would prefer not to limit by the IP address (IP address would be unique per user), then you should be using the Referrer method as listed above. Give your members a URL shortcut using the domain URL. The default reference to login for the WordPress admin is as follows: https://domain_name.com/wp-admin. This way you’re not using the direct login to wp-login.php (it automatically redirects to the wp-login using the wp-admin, anyway) and you’re using the URL as per the .htaccess rule. I hope that helps to clarify the matter. If you require any further assistance, please let us know. Regards, Arnel C.
Hi, My members use wp-login.php to access their accounts. How do I accommodate them using the above solution? Cheers
When I use the following .htaccess file on the subdomain(test.mydomain.com), I get the error “310 (net::ERR_TOO_MANY_REDIRECTS)” and can’t access the log-in page. AuthName “Login” AuthType Basic AuthUserFile /home/xxxx/.htpasswd require valid-user Although I have tested on the local using XAMPP creating subdomain “test.localhost” and subdirectory on the inmotion server “mydomain.com/test/ ” with same files and it works fine. Why am I getting the error only on subdomain settings?
I am working on a script that will use 2 htacces files. If the visit to a site exceeds a certain expected number per 10min, the htacces file will be changed on the fly for an hour. The changed file will limit access to where most expected visitors will com from. For instance your own country. This will also prevent brute force attacs from a large amount of computers, and keep open your site to mayby 95% of your users depending on what kind of site it is. It should be possible to customize the ‘access denied’ page on the fly also to inform, in case you have your own server.
It is the order of Allow, Deny that determines weather it works or not. This does not work: [code] Order Allow,Deny Allow from 111.93.52.182 Deny from all [/code] Because it first allows from 111.93.52.182 and then denies from all. This works: [code] Order Deny, Allow Allow from 111.93.52.182 Deny from all [/code] Because you first denies from all and then allows from specific. Which of the 2 lines that comes first is not important. Only the Order line.
Hello andyks, Thank you for your question. I tested this, and it works when you comment our the line: Deny from all For example: [code] Order Allow,Deny Allow from 111.93.52.182 #Deny from all [/code] Also, as suggested in this guide, I added it to the top of the .htaccess file. If you have any further questions, feel free to post them below. Thank you, -John-Paul
Hi, my IP address 111.93.52.182 and I used this code in .htaccess of my wordpress blog Sharecommons.com: [code] Order Allow,Deny Allow from 111.93.52.182 Deny from all [/code] Well, it is supposed to allow me and deny all other IP addresses. However, it has locked me out and is blocking me from accessing the wp-login.php page. What could I possibly be doing wrong here? Thanks for your help.
