How to protect wp-admin on your WordPress website


Login Lockdown (LL) plugin records the IP address and time each time a logon failure occurs. After a number of attempts, LL will temporarily lock the corresponding IP range for a period of time (also set by you in the Admin Dashboard), and the login function will be temporarily disabled for IP access. The corresponding IP range that the LL identifies.

One of the good features in this plugin is “mask login errors“. When you enable this feature, it will hide notifications when someone else logs in as a “wrong username” or “wrong password“, which will more or less discourage the hacker from not knowing. The username or password is incorrect.

It also provides email alerting if someone is trying to login to your website, which will help you quickly detect and implement measures to protect your website. With a log file the whole log information is also a useful reference for you.

Small tip
1, After you install the login dialog box at the wp-admin will have the string “Login form protected by Login LockDown”, I think should not leave this line because it can be a thing for hackers exploit.

To fix this, open the function.php file in the theme folder and insert the following line:

// Remove Login LockDown advertisement from Dialog
remove_action (‘login_form’, ‘ll_credit_link’);

2, As mentioned above, if someone logs in too many times, Login LockDown will lock the IP of that person and the message “ERROR: We’re sorry, but this IP range has been blocked due to too many recent “. This will cause the hacker to judge you have used the LL plugin, instead you should change this message to a familiar message when the wrong login “ERROR: Invalid username or password”. You can not fight off hacker attacks completely, but it will also reduce the damage if hackers only know little about your site.

To fix this, open the function.php file in the theme folder and insert the following line:

function login_error_mess () {
return ’ERROR: Invalid username or password.’;
//Remove LoginLockDown’s message about IP blocking
add_filter(‘login_errors’, ’login_error_mess’);

Also if you do not like to install the plugin then you can add the following to the .htaccess file:

Order deny,allow
Deny from all
Allow from

This code will only allow machines with IP address Your_IP_address to access wp-admin.


Please enter your comment!
Please enter your name here