X

Restrict WordPress Admin Access by IP Address

This is a guest post by Eric Sizemore, a web developer, programmer, and domainer.

In light of recent events, anyone using WordPress is apparently susceptible to what’s being called “Distributed WordPress admin account cracking”. You can view this article for more information. This post aims to provide an extra layer of security both to your wp-admin folder, and wp-login.php file.

Step 1 – Determine Who Will Have Access

First and foremost, this extra layer of security involves blocking every IP except a select few. If your IP is dynamic, it may not be the best option for you. If you have a lot of users that you allow access to your blog, this could become time consuming. If you are the only author on the blog, and you don’t allow registrations anyway – this will be rather simple.

Step 2 – Creating .htaccess

First, let’s get your IP address. Go to IPChicken and make a note of your IP address. Next, download the .htaccess files that have been created for this post.

Once you extract the archive you should see a .htaccess file, and a wp-admin folder with a .htaccess file inside it. Open the main .htaccess file and you should see:

<Files wp-login.php>
Order Deny,Allow
Deny from all
Allow from xx.xx.xx.xx
</Files>

Edit the “Allow from” line to reflect your IP address. To add more IP addresses, add a new line with “Allow from” and the next IP address, and so on. Now, chances are you already have a .htaccess file in your root WordPress folder. If so, edit the file and copy paste the contents of your edited .htaccess file from the zip, and save/re-upload.

Now open the .htaccess file within the wp-admin folder from the zip. You should see something like:

Order Deny,Allow
Deny from all
Allow from xx.xx.xx.xx

Do as you did above. And add any extra ip’s you want to allow in the wp-admin area. Chances are you do not have a .htaccess file in your wp-admin folder, so just upload the edited .htaccess file from the zip to your wp-admin folder.

Step 3 – You’re done

And that’s all! 🙂

Comments   Leave a Reply

  1. No download files.

  2. Perfect

  3. Sunil Ilanthila July 24, 2021 at 3:51 pm

    I facing not acceptable issue by one ip, but it’s working on other IP any solutions

    1. You may want to contact your hosting support about this.

  4. I knkw this website gives quality depending posts and other material, is there aany other
    website which presents such data in quality?

  5. Does not work. I got: Internal Server Error

    1. You may want to contact your hosting support about this.

  6. Thanks. Just what I was looking for

    1. We are glad you found this helpful 🙂

  7. hi all,
    I have ip restriction in my site for wp-login.php in .htaccess. but, my customers can’t logout, showing error for ip restriction. anyone give me a best solution for only ip restriction for admin login page.

    1. What is the code for the restriction you are using? Was it added to the wp-admin folder only?

    2. Valerie Cudnik April 25, 2022 at 8:04 pm

      There isn’t a different login for admin. The problem with the logging out, is that WP uses wp-login.php for both logging in *and* logging out.

      Best option is to create a different logout page for customers.

  8. Beware: If your WordPress website uses Woocommerce then the code below will block the new order emails from being sent!

  9. Paramjeet Singh August 25, 2019 at 1:15 pm

    Hi, Thanks for the Helpfull Article, I am able to add an additional security layer to my website.
    But I have 1 question, this will only allow my IP to access the WP-admin dashboard, etc. Does it affect the plugins or files, etc, I mean can they need or don’t need the connection to the wp-login page?

    1. This code is specifically for blocking access to the login page. That said, if the plugins that are installed were coded correctly, then if a visitor can’t login they shouldn’t have access to the admin pages.

  10. Didnt work for me.

    This works, found it in one of my old projects 🙂

    RewriteEngine on
    RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
    RewriteCond %{REMOTE_ADDR} !^95\.154\.22\.86$
    RewriteCond %{REMOTE_ADDR} !^77\.243\.128\.133$
    RewriteRule ^(.*)$ – [R=403,L]

    1. The Rewrite option works for me but i can’t access to the admin web page from localhost

  11. This does not work on Apache 2.4 because order allow,deny is depreciated.
    Instead you must use mod_rewrite.c.

  12. Could anyone help me with which IP are we supposed to enter in the htaccess file. Is it the Public IP that I can see when I google search for my IP, or is the static one

  13. Quite useful regarding security. I recently encountered few attacks on my wp site and I am looking for a good solution.

  14. Elizabeth Richardson February 20, 2010 at 5:12 pm

    After leaving this system in place for a couple months now, I’ve now been able to relax. I does seem to work as I had been hacked multiple times before too.

    I use an ip range instead of a specific ip in my .htaccess and it works fantastic. Thank you so much.

    1. Glad to hear it’s working out for you. 😀

  15. Thanks for the info
    I was very frustrated with my blog got hacked fourth time.
    I wanted to be 100% sure to stop all bot attracts.
    in last few days I tried many plugins including askapache but it is not working fine because of some problem with my hosting.

    Finally I got a custom solution, I put an .htaccess file in wp-admin folder and IP locked it to open only with my IP range. and it works. Now no bot can try to check out my options and setting files. Unless the bot is in my PC itself.

    : )

    Regards

  16. But I access my site from all sorts of places, including my cellphone.

    What I’d really like is to restrict everywhere outside of North America and that would probably cut down on a lot of hacking wouldn’t it?

    Yes, it’s still open but a lot less wide than it was previously.

    Anyone try anything like this?

    1. Maybe, but you’d need to integrate it with a geo IP-to-location database which might be a little overkill for something like this.

      If you login from a lot of places/IPs you might want to look into something like Login Lockdown.

  17. The login lockdown plugin is also nice. Limits and then bans failed login attempts. Kind of like IPtables for wp.
    http://wordpress.org/extend/plugins/login-lockdown/

    We added it to our pre-install for page.ly customers so it will be activated be default after signup.

    PS.. love the new themelab.com design.

    1. That sounds like it could be pretty effective. Especially if you login at a lot of different locations with different IP addresses, it may not be practical to add a .htaccess rule for each one.

      And glad you like the design!

  18. @Elizabeth: No problem! Let me know how it works out for you.

  19. Thanks so much for this.

    I’ve been experiencing exploit attempts on several of my wordpress websites and have been using ht.access to block the individual IP’s. But this seems much more effective. Hope it works well.

    Thanks Leland.

  20. @badcat: That’s a good question but I don’t think you’ll need to repeat the process since these .htaccess files aren’t included with the actual upgrade.

  21. Will you need to repeat this process after a new version of WordPress comes out?

    Or would it make more sense to deny the wp-admin folder in the site root .htaccess file since that doesn’t get updated when WP updates it’s core?

Add a Comment

We're glad you have chosen to leave a comment. Please keep in mind that all comments are moderated according to our privacy policy, and all links are nofollow. Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.

WordPress Launch Checklist

The Ultimate WordPress Launch Checklist

We've compiled all the essential checklist items for your next WordPress website launch into one handy ebook.
Yes, Send Me the Free eBook!