When working on a WordPress database you don’t want users to make changes to posts or settings which may be lost when making database migrations. Ideally, you will want to conduct work on your database when the site is at the least active stage, usually early mornings, however, this isn’t always possible. We often use this simple function to redirect users away from the WordPress admin while work is being conducted on a database, this prevents the entire site from having to be taken offline but also prevents updates from being lost.
There are several ways to disable admin access in WordPress. Some of them are listed below.
1. Using htacess rules
Allowing only a select IP can resist hackers’ IPs from reaching your website.
Here is how you can restrict others from accessing your website.
Step 1 – Connect to your website through an FTP client
Step 2 – Navigate to public_html directory>wp-admin
Step 3 – Create a .htaccess file there
Step 4 – Paste the following code there and save it-
Order, Deny, Allow
Deny from all
Allow from xx.xx.xx.xx
Edit the “Allow from” line to allow your IP address. For multiple IP whitelisting, repeat the “Allow from” in the next line and so on.
2. Create a custom login URL
You can access the login screen of any WordPress website by appending /wp-login.php to that website’s URL. For example, if your domain is www.example.com, then your login page is at www.example.com/wp-login.php.
If you’re using the WordPress default, then your website’s login page is public knowledge. Even worse, if you’re using the standard /wp-login.php URL and the default admin username, then a hacker already has two of the three pieces of information required to access your admin area.
You can create a custom login URL using a plugin such as WPS Hide Login. Once it’s installed, select Settings > WPS Hide Login from your dashboard menu. You can then enter a new URL into the Login URL field.
Save your changes and your WordPress admin area will now be accessible only via this new URL. Even if a hacker has your username and password, they’ll be unable to reach your login screen.
3. Using Coding
You can use this function in a Must Use Plugin to ensure it runs before any other plugin or theme:
function wph_block_wp_admin_init() {
if (strpos(strtolower($_SERVER['REQUEST_URI']),'/wp-admin/') !== false) {
if ( !current_user_can('manage_options') ) {
wp_redirect( get_option('siteurl'), 302 );
exit;
}
}
}
add_action('init','wph_block_wp_admin_init',0);
This function checks if the user is an Administrator and then redirects them to the homepage if not, you can adjust this to even block administrators by using is_user_logged_in() to redirect any logged-in user (including yourself).
4. Limit login attempts
WordPress doesn’t block users from attempting to log in, even if they enter the incorrect password multiple times. This leaves your website vulnerable to brute-force attacks. Hackers could potentially use an automated script to bombard your account with hundreds or even thousands of potential passwords.
You can limit login attempts using the Wordfence Security plugin. Once you’ve installed it, navigate to Wordfence > All Options. Under Firewall Options, select Brute Force Protection:
Next, make sure you activate the Enable brute force protection setting. You can then specify how many failed login attempts WordPress should permit before blocking the offending IP address.
If you have any questions or problems with the function please leave a comment or get in touch with us.
Conclusion
We can restrict wp-admin access from users using many ways.
Always make sure to keep your WordPress core, plugins, and themes up to date, as well as maintain strong password policies, to enhance the overall security of your website further. Additionally, consider other security measures like using a reputable web hosting provider and regular backups.
For more information on WordPress basic settings, maintenance routines, or hiring support services for WordPress, let us know your thoughts on custom plans, deals, and support services.
