Limit Access To The WordPress Login Screen To Specific IP Addresses

Limited Access by IP AddressIf you are concerned about someone trying to crack your WordPress login ID and password, then you definitely want to create a strong login ID and password. But, even with that, crackers will still try brute force attacks, dictionary attacks, and many other methods to try to crack the door on your WordPress website.

Featured Plugin - WordPress Membership Site Plugin

If you're thinking about starting a paid, or just private, membership site then this is truly the plugin you've been looking for. Easy to use, massively configurable and ready to go out of the box!
Find out more

What Can You Do?

You can install a simple plugin such as Limit Login Attempts to lock them out after a defined number of failed attempts. And that works quite effectively – I use it for my clients.

Can More Be Done On The Login Side

If the login screen is where they will try to access your WordPress website – trying to guess your login ID and password, then why not just eliminate that port of entry? Oh yeah, there’s that pesky business where we might need to log in ourselves and take care of some task.

Then, why not limit the access to the login page altogether?

Block Access Except To Certain IP Addresses

In the root directory of your WordPress installation (where the wp-content folder is located), edit your .htaccess file adding the following lines of code BEFORE anything else in the .htaccess file.

01 <files wp-login.php>
02 order deny,allow
03 deny from all
04
05 # whitelist Your First IP address
06 allow from xxx.xxx.xxx.xxx
07
08 #whitelist Your Second IP Address
09 allow from xxx.xxx.xxx.xxx
10
11 #whitelist Your Third IP Address
12 allow from xxx.xxx.xxx.xxx
13
14 </files>

Add as many #whitelist sections as you need to allow access from.

Featured Plugin - WordPress Appointments Plugin

Take, set and manage appointments and client bookings without having to leave WordPress. Appointments+ makes it easy.
Find out more

If you are on a Dedicated (or Static) IP then you are set.

Only the IP addresses that you’ve white-listed can even see your Login page to even attempt any type of login to your WordPress website. Anyone else that tries to access the login page will get a 404 error which will be handled however you’ve programmed 404 errors to be handled.

What If I Don’t Have A Static IP?

Some people believe that you should NOT use this method if you are not on a static IP. I don’t subscribe to that idea.

Why?

It’s too simple for me to type “What is my IP” into a Google search, discover my new IP, and then using my FTP software, edit my .htaccess file to use the new IP address. Grand total of a couple of minutes to change the allowed IP address.
Public Wi-fi Access Points

What If I’m In A Public Access Point (Starbucks, McDonalds, a friend’s house)?

Use the same steps as when your own IP address changes – Google search to find your IP and add that IP as an additional access in your .htaccess file. But, when you are finished at that location, be sure to remove that access so no one else can potentially access your login page from that location.

O.K. Now My WordPress Website Is Secure. Right?

Your WordPress installation is definitely more secure than it was prior to this point, but it’s not completely secure. There are plenty of more steps you can take to secure your WordPress website. Take an evening to read through many of the articles on WPMU.org that have been written about WordPress security. You will come away more educated to protect your WordPress installation.

Are there any specific steps you’ve taken to better secure your WordPress installation? Share them here so that everyone can benefit.

Featured Plugin - WordPress Google Maps Plugin

Simply insert google maps into posts, sidebars and pages - show directions, streetview, provide image overlays and do it all from a simple button and comprehensive widget.
Find out more

Photo Credits

rofltosh via photo pin cc
lanier67 via photo pin cc

Tags

Comments (4)

  1. Hi James,

    Like your article.

    However I think you need to stress the importance on only using SFTP (as opposed to FTP) to connect to your hosting account – especially in your Public Access Point scenario mentioned above…

    Otherwise you expose your FTP credentials in clear text on a public network…

    Another excellent plugin which also serves to protect your WordPress Admin Login is called WP Login Security. It will send an email with a verification link to the registered admin email address if this user tries to log in from an unknown IP address… very neat…

    • Thanks for sharing this here.

      Agreed, if you use FTP to access your account, you are definitely opening it up to prying eyes. Hadn’t even considered mentioning it because I use SFTP and HTTPS all the time by default. This is a very important addition to your security precautions.

      As for WP Login Security – I REALLY, REALLY like that idea. It’s analogous to the two step verification that Google and Facebook use. Although the plugin hasn’t been updated in over two years (last updated 8/6/2010), I’m assuming that it is still working for you with no issues. I’ll have to dig into it and see how well it works.

      Thanks again for your comments here. This gives me an idea for a post to help people that work away from their home connections. I’ll have to spend some time investigating options and highlight ones that work.

      • Hi James,

        Yes, your assumptions is correct… I am using this plugin without problems on my sites… only thing to remember is that this plugin in combination with WebsiteDefender (which hides login errors) will give you a nice white screen if you login from an unknown IP address… you will get the email with the link and everything else works as it should… you just don’t get a nice message telling you that’s what’s happening… so can be a bit confusing…

        Sounds like a great idea with a post for people working on the road… you might pick up a few more tips from my WordPress Security Checklist too: http://www.wpsecuritychecklist.com.

        Might I suggest that you add a word of caution to the Public Access Point bit above about SFTP as not everyone reads comments?

        Have a fantastic day!

  2. I am not sure what I did wrong, but the htaccess restriction isn’t working for me. my login page still can be viewed by all IP addresses. Am I missing something?

Participate