Title: Securing wp-login.php with query string/var/ parameter
Last modified: August 22, 2016
---
# Securing wp-login.php with query string/var/ parameter
* [motmot1](https://wordpress.org/support/users/motmot1/)
* (@motmot1)
* [11 years, 2 months ago](https://wordpress.org/support/topic/securing-wp-loginphp-with-query-stringvar-parameter/)
* Hi,
* I try to add a small code that secures wp-login.php by adding a parameter to
the url e.g: mydomain.com/wp-login.php?myparam=1234
* the result I want is that if the login url wont have “?myparam=1234” then user
can’t login.
this is the code I added, but it dosn’t work: I try to add a small code that secures wp-login.php by adding a parameter to
> the url e.g: mydomain.com/wp-login.php?myparam=1234
* Please don’t modify that file. Pain, suffering and other forms of madness await
you when you edit files that ship with WordPress; it’s really a bad idea.
* _*Drinks more coffee*_
* Have you considered one of the many security plugins instead?
* [https://wordpress.org/plugins/search.php?q=security](https://wordpress.org/plugins/search.php?q=security)
* That may accomplish the same thing without modifying core WordPress files.
* Thread Starter [motmot1](https://wordpress.org/support/users/motmot1/)
* (@motmot1)
* [11 years, 2 months ago](https://wordpress.org/support/topic/securing-wp-loginphp-with-query-stringvar-parameter/#post-5920402)
* I already had that modification code to wp-login.php , and it worked perfect,
I forgot to save it when I updated wp version.
* most security plugins i’ve seen won’t block the login page in such a simple way.
* Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/)
* (@jdembowski)
* Forum Moderator and Brute Squad
* [11 years, 2 months ago](https://wordpress.org/support/topic/securing-wp-loginphp-with-query-stringvar-parameter/#post-5920422)
* Why not put that section in your `.htaccess` file in the root directory of your
WordPress installation?
* Try this (untested) at the top of that `.htaccess` file.
* ```
RewriteEngine On
RewriteCond %{REQUEST_URI} ^wp-login\.php$
RewriteCond %{QUERY_STRING} !^myparam=1234$
RewriteRule ^wp-login\.php - [F]
```
* If a request comes for `wp-login.php` and that query string is not there then
the server will return a 403. You may need to change `wp-login\.php` to `/wp-
login\.php`, I’ve not tested this myself.
* Thread Starter [motmot1](https://wordpress.org/support/users/motmot1/)
* (@motmot1)
* [11 years, 2 months ago](https://wordpress.org/support/topic/securing-wp-loginphp-with-query-stringvar-parameter/#post-5920426)
* even better, unfortunately doesn’t work with this syntax.
* Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/)
* (@jdembowski)
* Forum Moderator and Brute Squad
* [11 years, 2 months ago](https://wordpress.org/support/topic/securing-wp-loginphp-with-query-stringvar-parameter/#post-5920427)
* I probably got it a little off, I didn’t test it. I’ll take a poke at it tonight
and see if I can get the syntax correct.
* If it _does_ work then that would be good as that will survive WordPress updates.
* Thread Starter [motmot1](https://wordpress.org/support/users/motmot1/)
* (@motmot1)
* [11 years, 2 months ago](https://wordpress.org/support/topic/securing-wp-loginphp-with-query-stringvar-parameter/#post-5920522)
* thanks
* [Ulrich](https://wordpress.org/support/users/grapplerulrich/)
* (@grapplerulrich)
* [10 years, 5 months ago](https://wordpress.org/support/topic/securing-wp-loginphp-with-query-stringvar-parameter/#post-5920698)
* This what I got working.
* ```
# BEGIN only allow access to login if query is correct
RewriteEngine on
RewriteCond %{REQUEST_URI} ^.*?wp-login\.php.*$
# Specicial secret query key
RewriteCond %{QUERY_STRING} !^.*?myparam=1234.*$
# Needed to complete the login process
RewriteCond %{HTTP_REFERER} !^https?:\/\/([a-z]|\.){8,14}\/wp\/wp-login\.php\?.*?myparam=1234.*$
# Allow admin area login pop
RewriteCond %{HTTP_REFERER} !^https?:\/\/([a-z]|\.){8,14}\/wp\/wp-login\.php\?interim-login=1$
RewriteCond %{HTTP_REFERER} !^https?:\/\/([a-z]|\.){8,14}\/wp\/wp-admin.*$
# Needed for easy reset password process
RewriteCond %{QUERY_STRING} !^action=lostpassword$
RewriteCond %{QUERY_STRING} !^checkemail=confirm$
RewriteCond %{QUERY_STRING} !^action=rp&key=.*?&login=.*?$
RewriteCond %{QUERY_STRING} !^action=rp$
# Needed to be able to logout
RewriteCond %{QUERY_STRING} !^action=logout&_wpnonce=([a-z]|\d){10}$
# Return "Access Forbidden"
RewriteRule ^(.*)$ - [R=403,L]
# END only allow access to login if query is correct
```
* Thread Starter [motmot1](https://wordpress.org/support/users/motmot1/)
* (@motmot1)
* [10 years, 5 months ago](https://wordpress.org/support/topic/securing-wp-loginphp-with-query-stringvar-parameter/#post-5920699)
* Yep thats a keeper!!
Thanks Ulrich
Viewing 8 replies - 1 through 8 (of 8 total)
The topic ‘Securing wp-login.php with query string/var/ parameter’ is closed to
new replies.
## Tags
* [wp-login.php](https://wordpress.org/support/topic-tag/wp-login-php/)
* In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
* 8 replies
* 3 participants
* Last reply from: [motmot1](https://wordpress.org/support/users/motmot1/)
* Last activity: [10 years, 5 months ago](https://wordpress.org/support/topic/securing-wp-loginphp-with-query-stringvar-parameter/#post-5920699)
* Status: not resolved
## Topics
### Topics with no replies
### Non-support topics
### Resolved topics
### Unresolved topics
### All topics