Good lord. Is your server still running Apache 2.2, or have you not got around to updating your directives yet? One of these days they will introduce 2.6, and then I doubt mod_compat--which I hope is what you’re currently using--will be available.

The wording of your post makes it sound as if you didn't know that Allow/Deny directives--or the more up-to-date Require ip--don't need a full down-to-the-last-segment IP. You can say Allow from 100.200, Allow from 2001:183 and so on, using just as many elements as necessary, or sectors such as /19 or /22. No “wild cards”; you simply leave off the variable parts.

On almost all my WordPress sites I use a plugin that allows me to write my own url instead of wp-admin . If the user doesn't know the new url, they will get a 404.

like lucy said, Require is the more modern way with apache 2.4 and up.

<Files wp-login.php>
Require all denied
Require ip 100.200.20.52
Require ip 70.90.110.130
Require ip 2001:183:4c25:3990::/64
</Files>

If you must stick with the older syntax, it won’t do what you want for IPv6. Switching to CIDR with Require ip is the way to handle it.

If you do decide to rename wp-admin.php be sure to leave a version there that messes with them.. Looks like the login screen but does nothing. They will eventually give up.

Mack.

The big problem with renaming or moving login is that so many wp updates will overwrite that - or worse, fail - during update.

You can set permission to secure WP files, there are instructions. Because of the way WP is installed and set up, permissions are better than rules in .htaccess.

There is a link in this 2022 thread about hardening WP: [webmasterworld.com...]

This is really a wider-ranging issue than wp. For example, if I had it to do over I would call my /includes/ directory by some other name. My test site features an array of improbable directory names, each goofier than the last.