Skip to content

Instantly share code, notes, and snippets.

@miziomon
Last active August 29, 2015 14:21
Show Gist options
  • Save miziomon/7aab9f1c4cbed5717b5b to your computer and use it in GitHub Desktop.
Save miziomon/7aab9f1c4cbed5717b5b to your computer and use it in GitHub Desktop.
WordPress - hide default login url and prevent brute force attack
# START Security settings
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^[custom-login-path]$ wp-login.php?loginkey=[key]&redirect_to=http://%{SERVER_NAME}/wp-admin/index.php [L]
RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/wp-admin
RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/wp-login\.php
RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/[custom-login-path]
RewriteCond %{QUERY_STRING} !^loginkey=[key]
RewriteCond %{QUERY_STRING} !^action=logout
RewriteCond %{QUERY_STRING} !^action=lostpassword
RewriteCond %{REQUEST_METHOD} !POST
RewriteRule ^wp-login\.php http://%{SERVER_NAME}/? [R,L]
RewriteCond %{QUERY_STRING} ^loggedout=true
RewriteRule . http://%{SERVER_NAME}/? [L]
</IfModule>
# END Security settings
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment