Create a gist now

Instantly share code, notes, and snippets.

@miziomon /.htaccess
Last active Aug 29, 2015

WordPress - hide default login url and prevent brute force attack
# START Security settings
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^[custom-login-path]$ wp-login.php?loginkey=[key]&redirect_to=http://%{SERVER_NAME}/wp-admin/index.php [L]
RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/wp-admin
RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/wp-login\.php
RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/[custom-login-path]
RewriteCond %{QUERY_STRING} !^loginkey=[key]
RewriteCond %{QUERY_STRING} !^action=logout
RewriteCond %{QUERY_STRING} !^action=lostpassword
RewriteCond %{REQUEST_METHOD} !POST
RewriteRule ^wp-login\.php http://%{SERVER_NAME}/? [R,L]
RewriteCond %{QUERY_STRING} ^loggedout=true
RewriteRule . http://%{SERVER_NAME}/? [L]
</IfModule>
# END Security settings
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment