Limit Access to the WordPress Login Page to Specific IP Addresses

Securing your site is important. After all, it means you are protecting not only your personal information and data, but also any information your users share on your site.

If you are concerned about someone trying to crack your WordPress username and password, then you definitely want to create a strong usernames and password. But, even with that, hackers will still try brute force attacks and many other methods to try to crack the door on your WordPress website.

There are many ways you can secure that aren’t too difficult to implement, including limiting access to your login page and admin dashboard to legitimate users.

In this Weekend WordPress Project we’ll look at limiting access by one or more static IP addresses as well as a solution for dynamic IP addresses and sites with multiple users.

The WordPress login page.
All it takes to limit access to genuine users is a tiny bit of coding, but I promise it will be an easy cut-and-paste solution.

Basic Housekeeping

We’ll be making changes to the .htaccess configuration file so it’s important to backup that file. You may want to also backup your entire site before proceeding so it anything goes wrong you can restore your site.

Our Snapshot plugin is a great option for full backups. There are also other third party services available, such as VaultPress and BackupBuddy. Regularly backing up your site is a great habit to keep so if you don’t already do it now might be the time to start.

Once you’re done backing up your site, you’re ready to start making you site a little more secure.

Getting Started

We’ll be looking at two options for limiting access to the WordPress dashboard:

  • One or Multiple Static IP Addresses - This is the option for you if your IP address doesn’t change (it’s static) because you edit your site from your desktop or a small number of other locations to edit your site.
  • Multiple Dynamic IP Addresses – If your IP address regularly changes because you use your phone, you travel a lot and need access to your admin dashboard, or you have users requiring access from multiple locations.

If you’re not sure what your IP address happens to be, just ask Google. Just type in “What is my IP” and Google will tell you.

Accessing Your .htaccess File

The .htaccess files lives in the root of your website, so if you use FTP or cPanel login and locate the file. If you don’t have one already, you can create one.

You can edit the file directly in cPanel, or using a text editor. The very top of the file is the safest place to add the necessary code. Let’s review the two options for limiting IP address:

Single Site Users and Access by Static IP Addresses

If you are the only one who manages your site,there are only a handful of people who do, or your IP address doesn’t change often, this option is for you. You’ll be able to add one or more IP addresses to the safe list of users who can access the login page for your site.

Add the following code to your .htaccess file. Don’t forget to hit Save before closing the window.

Just edit lines eight through 10 to add the IP addresses that need access to the admin dashboard and login page replacing IP Address “One,” “Two” and “Three” in the example above.

You can delete two of those lines if you only need to add one IP address or copy and paste them to add more to the list.

When an unauthorized visitor tries to access that page, they’ll see your current theme’s 404.php file.

It will also show up in the event that your site is thrown into a redirect loop ,which is defined on lines one and two.  Just don’t forget to update those lines with your correct path to the file, replacing path-to-your-site.

Multisites, Multiple Users and Dynamic IP Addresses

If you have multiple users who require access to the dashboard because you’re running a Multisite network, have many contributors, need to grant login access from multiple locations or otherwise have a dynamic IP address, this is the solution you need.

Enter the following code in your .htaccess file:

All you need to do is replace your-site.com with your site’s URL and update the file path in the first two lines. Just like the previous example, this code also includes the extra 404 error page code that will remedy the potential situation of your site being thrown into a redirect loop.

Hackers usually try to access the login page and admin area externally using brute force attacks with bots. This code will restrict access to them while allowing access to all visitors who visit the page through your actual site.

This means that legitimate users won’t notice the difference. If you have a security plugin installed that informs you of failed login attempts, you’ll notice a dramatic fall in the number you get.

Conclusion

Although this fix won’t completely protect your site from every threat, it will help go some way to protecting you from brute force attacks.

If you would like to read more about securing your site, check out our WordPress Security Essentials series and our posts WordPress Security: The Ultimate Guide, and Creating A Disaster Recovery Plan For Your WordPress Site.

If you would like to learn about securing your site further with an SSL certificate, take a look at our post How to Use SSL and HTTPS with WordPress. I fact, we have so many posts about securing your site, you can see them all by searching the terms “wordpress security essentials.”

We also have reviews on some of the most popular security plugins: Wordfence Security Review and Securing Your WordPress Site: iThemes Free Security Plugin Review.

What are your favorite ways to secure your site? Let me know in the comments below.

14 Responses

    Kimberly

    an actual sample would be more helpful for some of us who aren’t fluent in PHP :D

    Where do you put the actual IP addres in this code — “RewriteCond %{REMOTE_ADDR} !^IP Address One$” ?

    Would it be: RewriteCond %{REMOTE_ADDR} !^IP Address 0.0.0.0$
    or
    RewriteCond %{REMOTE_ADDR} !^IP Address 0.0.0.0 (without the $)

    Just a little bit of clarification would be fabulous :D Thanks

      Jenni McKinnon

      Hey Kimberly,

      You would replace the words “IP Address One” and also “IP Address Two” and “IP Address Three.” Leave the punctuation intact. If you only need to add one IP address, you can delete the other two lines that contain “IP Address Two” and “IP Address Three.”

      You’ll end up with something that looks like this:

      RewriteCond %{REMOTE_ADDR} !^0.0.0.0$
      RewriteCond %{REMOTE_ADDR} !^1.1.1.1$
      RewriteCond %{REMOTE_ADDR} !^2.2.2.2$

      Hopefully that clears things up. Let me know if you have anymore questions. Thanks for asking. :)

      Cheers,

      Jenni McKinnon

        Kimberly

        Yes it does, Jenni! Thank you so much!! I used the dynamic IP code on one site and I’ve already seen a difference in the past several days :D I’m adding the static code to my main blogsite today! Again! Thank you so much for clarifying! :D

          Jenni McKinnon

          Hey Kimberly,

          I’m very glad to hear it! I added the same code to my sites and I noticed a huge difference, too! Glad I could help clarify!

          Cheers,

          Jenni McKinnon

    Gray

    As I and my other developers are using IPv6 connections, having rules that allow us to access the login would be great. IPv6 addresses tend to change quite frequently, about every day or so.

    Could you please explain HOW your code snippet for Dynamic IP Addresses actually works? The explanation of “bots try to hack using brute force” doesn’t quite do it.

    Thanks!

      Jenni McKinnon

      Hey Gray,

      Sure, I can clarify that for you. :) Many hackers try to log into WordPress sites externally through post requests using bots. These code snippets will allow access to only those who fit the requirements defined in the code. For dynamic IP addresses (and the second snippet of code) that means that only people who visit the actual login page will have access to it.

      Only people who type in http://www.your-site.com/wp-login.php or http://www.your-site.com/wp-admin will be able to access the page to log in. Bots who try to access the page externally will not be granted access since they’re not visiting the actual page.

      Hope that makes more sense. Let me know if you have anymore questions. :)

      Cheers,

      Jenni McKinnon

    Mark

    Another WordPress novice question…
    When you say, “Just don’t forget to update those lines with your correct path to the file, replacing path-to-your-site.”, what do you use for path-to-your-site? “http://www.mydomain.com” or something else?

      Jenni McKinnon

      Hey Mark,

      What I mean is the full folder path on your server. For example, home/username/public_html/index.php. If you’re not sure what the correct server path is, you can check with your hosting company. They will be able to tell you. You can also see it in the top left corner of the File Manager in cPanel.

      Hope that helps.

      Cheers,

      Jenni McKinnon

    burlingtonbeachrentals

    Hi there,

    You mentioned the safest place to put the code is the very top of the file..does this mean after the title?? When I open my file it looks like this:

    DirectoryIndex index.php

    # BEGIN WordPress

    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ – [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    # END WordPress

    Where exactly would I insert your suggested code? Thank you so much for this info. Just got back in town to see my site was shut down due to malware …. not the best welcome home lol

      thinkDelaney

      Hi
      You would insert this code ahead of / before the WordPress section. For Example:

      ErrorDocument 401 /path-to-your-site/index.php?error=404
      ErrorDocument 403 /path-to-your-site/index.php?error=404

      RewriteEngine on
      RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
      RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
      RewriteCond %{REMOTE_ADDR} !^IP Address One$
      RewriteCond %{REMOTE_ADDR} !^IP Address Two$
      RewriteCond %{REMOTE_ADDR} !^IP Address Three$
      RewriteRule ^(.*)$ – [R=403,L]

      # BEGIN WordPress

      RewriteEngine On
      RewriteBase /
      RewriteRule ^index\.php$ – [L]
      RewriteCond %{REQUEST_FILENAME} !-f
      RewriteCond %{REQUEST_FILENAME} !-d
      RewriteRule . /index.php [L]

      # END WordPress

      Jenni McKinnon

      Hey burlingtonbeach rentals,

      @thinkDelaney is absolutely right (thanks for that thinkDelaney!).

      The code definitely needs to be before the # BEGIN WordPress tag and can also be placed above the DirectoryIndex index.php, at the very top of the file.

      I’m sorry to hear your site got shut down, that’s terrible! I hope you were able to resolve it quickly.

      Cheers,

      Jenni McKinnon