You are viewing the legacy StackPath SecureCDN Help Center. Please use if you signed up after July 1, 2018 or log in through

StackPath Support

EdgeRules Recipe: Block Access to WP-Admin

According to, a survey of 40,000+ WordPress websites in the Alexa Top 1Million, more than 70% of WordPress installations are vulnerable to hacker attacks.

One of the quickest ways to protect your WordPress installation with StackPath is to restrict the wp-admin URL through a custom Path or IP address filter. A simple Edge Rule will accomplish this. 

Blocking wp-admin access through your StackPath CDN URL

Use this section of the article if you are caching static assets. Please note that this will not block access to the wp-admin using your root domain. 

  1. Log into the StackPath Control Panel
  2. Select Sites and then select Manage next to the site you wish to create the edge rule with
  3. Select CDN and choose EdgeRules
    Manage Edge Rules control
  4. Select Add New Rule and then + New Rule
    Add new EdgeRule recipe
  5. Match the Criteria and Features to this image
    Criteria and features rules settings
    • Status Code = 403
    • Conditional = "$request_uri = RegEx (Case Insensitive) = \/(wp-admin)\/.*


To test this Edge Rule please use the following two Curl examples. The results should match the examples below. Please replace "" with your WordPress installation url. 

CURL example to an unprotected page

curl -I
HTTP/1.1 200 OK
Date: Sun, 08 Mar 2015 18:22:50 GMT
Content-Type: text/html;charset=UTF-8
Connection: keep-alive
Cache-Control: private
Vary: Accept-Encoding
Server: NetDNA-cache/2.2
Link: ; rel="canonical"
X-Cache: HIT

CURL example to the protected wp-admin page

curl -I
HTTP/1.1 403 Forbidden
Date: Sun, 08 Mar 2015 18:22:54 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive
Server: NetDNA-cache/2.2

Return to top