Limit Access to the WordPress Login Page to Specific IP Addresses

Securing your site is important. After all, it means you are protecting not only your personal information and data, but also any information your users share on your site.

If you are concerned about someone trying to crack your WordPress username and password, then you definitely want to create a strong usernames and password. But, even with that, hackers will still try brute force attacks and many other methods to try to crack the door on your WordPress website.

There are many ways you can secure that aren’t too difficult to implement, including limiting access to your login page and admin dashboard to legitimate users.

In this Weekend WordPress Project we’ll look at limiting access by one or more static IP addresses as well as a solution for dynamic IP addresses and sites with multiple users.

The WordPress login page.
All it takes to limit access to genuine users is a tiny bit of coding, but I promise it will be an easy cut-and-paste solution.

Basic Housekeeping

We’ll be making changes to the .htaccess configuration file so it’s important to backup that file. You may want to also backup your entire site before proceeding so it anything goes wrong you can restore your site.

Our Snapshot plugin is a great option for full backups. There are also other third party services available, such as VaultPress and BackupBuddy. Regularly backing up your site is a great habit to keep so if you don’t already do it now might be the time to start.

Once you’re done backing up your site, you’re ready to start making you site a little more secure.

Getting Started

We’ll be looking at two options for limiting access to the WordPress dashboard:

  • One or Multiple Static IP Addresses - This is the option for you if your IP address doesn’t change (it’s static) because you edit your site from your desktop or a small number of other locations to edit your site.
  • Multiple Dynamic IP Addresses – If your IP address regularly changes because you use your phone, you travel a lot and need access to your admin dashboard, or you have users requiring access from multiple locations.

If you’re not sure what your IP address happens to be, just ask Google. Just type in “What is my IP” and Google will tell you.

Accessing Your .htaccess File

The .htaccess files lives in the root of your website, so if you use FTP or cPanel login and locate the file. If you don’t have one already, you can create one.

You can edit the file directly in cPanel, or using a text editor. The very top of the file is the safest place to add the necessary code. Let’s review the two options for limiting IP address:

Single Site Users and Access by Static IP Addresses

If you are the only one who manages your site,there are only a handful of people who do, or your IP address doesn’t change often, this option is for you. You’ll be able to add one or more IP addresses to the safe list of users who can access the login page for your site.

Add the following code to your .htaccess file. Don’t forget to hit Save before closing the window.

Just edit lines eight through 10 to add the IP addresses that need access to the admin dashboard and login page replacing IP Address “One,” “Two” and “Three” in the example above.

You can delete two of those lines if you only need to add one IP address or copy and paste them to add more to the list.

When an unauthorized visitor tries to access that page, they’ll see your current theme’s 404.php file.

It will also show up in the event that your site is thrown into a redirect loop ,which is defined on lines one and two.  Just don’t forget to update those lines with your correct path to the file, replacing path-to-your-site.

Multisites, Multiple Users and Dynamic IP Addresses

If you have multiple users who require access to the dashboard because you’re running a Multisite network, have many contributors, need to grant login access from multiple locations or otherwise have a dynamic IP address, this is the solution you need.

Enter the following code in your .htaccess file:

All you need to do is replace your-site.com with your site’s URL and update the file path in the first two lines. Just like the previous example, this code also includes the extra 404 error page code that will remedy the potential situation of your site being thrown into a redirect loop.

Hackers usually try to access the login page and admin area externally using brute force attacks with bots. This code will restrict access to them while allowing access to all visitors who visit the page through your actual site.

This means that legitimate users won’t notice the difference. If you have a security plugin installed that informs you of failed login attempts, you’ll notice a dramatic fall in the number you get.

Conclusion

Although this fix won’t completely protect your site from every threat, it will help go some way to protecting you from brute force attacks.

If you would like to read more about securing your site, check out our WordPress Security Essentials series and our posts WordPress Security: The Ultimate Guide, and Creating A Disaster Recovery Plan For Your WordPress Site.

If you would like to learn about securing your site further with an SSL certificate, take a look at our post How to Use SSL and HTTPS with WordPress. I fact, we have so many posts about securing your site, you can see them all by searching the terms “wordpress security essentials.”

We also have reviews on some of the most popular security plugins: Wordfence Security Review and Securing Your WordPress Site: iThemes Free Security Plugin Review.

What are your favorite ways to secure your site? Let me know in the comments below.