How to Restrict Admin Access by IP in WordPressPosted on
If you’re concerned about the security of your WordPress blog, one good place to start is by restricting access to secure areas as much as possible. If you’re the sole owner and maintainer of your website, there is no reason why sensitive areas like the login page and the administrative section should be accessible from all possible IP addresses. In fact, one excellent practice is to use a VPN service to specify an IP address from which all administrative activity can take place. This will instantly shut down any kind of brute force attacks that may hamper your site.
In this article, I take a look at the most common way to restrict access to the admin and login areas of WordPress by IP. For test purposes, I’m going to connect via a VPN with a static IP address.
Getting your IP Address
Keep in mind that unless you can be 100% sure of accessing your WordPress blog admin area from a static IP address, the solution below isn’t a great idea. Normal ISPs usually assign dynamic IPs to their customers. They change on a regular basis. But when you subscribe to a VPN specifically for this purpose with a static IP address, you can always connect to it before doing any website modifications. For example using my test VPN below I’m able to extract my IP address by simply typing the following query into Google:
This is the address I’m going to use.
Protecting the Login Area
The first and most important page to protect is the login screen. Hackers attempting to break into your site will try and brute force your authentication page wp-login.php. Access your blog directory via FTP and locate the .htaccess file in the root folder of your blog. Add the following code segment at the top:
<files wp-login.php> order deny,allow allow from 126.96.36.199 deny from all </files>
Replace the text in bold with your own IP address that you want to use to access the WordPress login page. With this piece of code, anyone trying to sign in from anywhere else will see a 403 forbidden error page as shown here:
Now that we’ve secured the login area, let’s take a look at how to block access to other admin sections as well.
Blocking the Admin Area
Your admin folder contains a whole bunch of sensitive files that only you should access. Not only that, all the other administrative areas of your WordPress blog like the plug-in section are located within the wp admin folder. Restricting access to the admin folder and everything within it is best done by creating a separate .htaccess file within wp admin itself. By default, no such file exists. So using your FTP program, create one and name it “.htaccess”. You can see what that looks like in the screenshot here:
After saving this, open up your newly created file and paste in the following code:
order deny,allow allow from 188.8.131.52 deny from all
Since this .htaccess file is placed within the wp admin folder, it will allow access only from the one specific IP address and deny it from all others. Using these two techniques with two separate .htaccess files, we managed to secure our login section as well as the administration area.
Note that this approach will not work if you’re sitting behind a reverse proxy like CloudFlare. For that, we need to either create these rules at the level of the proxy itself, or extract the HTTP response variable “CF-Connecting-IP” and use that to match our given IP address. But if your site is being accessed directly without a reverse proxy, these .htaccess modifications will get the job done.
2 Comments on “How to Restrict Admin Access by IP in WordPress”!
i dont have static ip instead having dynamic ip which changes every time i connect to internet, can you help in that case what to do to hide the wp admin for security purposes from public?
U need to be familiar with linux bash.. then set up a ddns service on your router or desktop. On server write a shell script which resolves email@example.com to the ip address then rewrites the htaccess files with the ip… look into linux cron scheduler. U can use this to run the script at repeating intervals…aka once a day or what ever. After the script writes the .htaccess it probably needs to chown it to nobody and set file permissions as as well.