Setting IP Restrictions for the WordPress Login Page — SitePoint – SitePoint

According to a study conducted back in 2013, approximately 30,000 websites are hacked every day. It goes without saying that you need to take measures to protect your site from hackers.
Securing your own data is important, but letting your visitors know that their data is safe is even more so. A protected site is a credible site.
There are several methods you can adopt to lower the chances of your WordPress site from being hacked. Limiting access to a pre-defined set of users is one of them. In this article, we’ll walk you through a step-by-step procedure to set IP restrictions for the WordPress login page.
WordPress Login Page
Before we move on to the tutorial, let’s quickly go over some WordPress security threats that your site faces.
Brute Force Login Attempts – When a hacker tries to access your site by attempting to log in using an extensive list of username-password combinations.
Login Information Confirmation – WordPress informs the user which part of the login credentials they’ve entered incorrectly. For instance, if your username is correct but password doesn’t match, WordPress will inform the user of it. This makes brute force attacks much, much easier.
WordPress Version – If a hacker finds out the version of WordPress you’re using they can use version-specific vulnerabilities to gain access to your site.
WordPress Global Registration – By default, WordPress does not allow users from all over the world to register with your site. This option should remain disabled as a preventive measure.
Access to Themes and Plugins – WordPress site owners give access to file editing functionality which may prove to be a security issue is your site is hacked, so it is generally advised against.
Let’s look at some preliminary steps that you need to take before altering your site’s files.
In this tutorial, we will be adding PHP code to the site’s .htaccess configuration file. As a precautionary measure, the first step is to backup the configuration file.
Some of you might also want to backup your entire site before you get started. Taking regular backups of your site is a good habit and should definitely be done before making any large-scale alterations to it. VaultPress is a great plugin that’ll get the job done.
In this tutorial we’ll show you how you can restrict access to your WordPress site’s Dashboard on both static IP addresses and dynamic IP addresses.
The Static IP Address tutorial should be followed if you edit your site from your desktop or a few other locations. In this case, your IP address doesn’t change i.e. it remains static.
The Dynamic IP Address tutorial should be followed if your site is edited from several locations. Your IP address changes frequently if:
Now that the basics out of the way, let’s get started.
The first step to setting IP restrictions to your WordPress login page is knowing what your IP address is. If you don’t already know, you can check it via sites like
As we mentioned above, we’ll be making changes in the .htaccess configuration file. The second step is to locate your site’s .htaccess configuration file. The .htaccess configuration file is located in your site’s root directory. However, if you don’t have a .htaccess configuration file for some reason you can create one yourself. Login with cPanel or a FTP client and locate your file.
Once you’ve found it, step three is to find a suitable text editor so that you can add code to the configuration file. We recommend that you use cPanel’s built-in text editor or a desktop specific text editor (such as Notepad) to edit the .htaccess configuration file.
Note: All code will be added to the very top of the .htaccess configuration file to prevent the chances of messing up existing site settings.
If your IP address doesn’t change frequently or if you access your site from a few, known IP addresses then you can set IP restrictions using the static IP address approach. In this tutorial, you’ll be able to create a safe IP list for those users (IP addresses) who access your WordPress site’s login page.
Add the following code to the top of the .htaccess configuration file (Gist is also available).
Save the .htaccess configuration file.
All you have to do now is edit line 4 and line 5 (line 9 and line 10 in the Gist) and add the IP addresses that are permitted to access the WordPress login page. To do this, replace IP Address InsertTwo$ and IP Address InsertThree$ with the IP address you want to grant login address to. The IP address you give should be in the format specified in line 3 (line 8 in the Gist).
If you’d like to grant login access to more IP addresses you can simply copy-paste RewriteCond %{REMOTE_ADDR} !^IP Address Insert$ and insert the IP address in place of IP Address Insert$. Similarly, if you’d like to grant access to only one or two, then remove the extra RewriteCond %{REMOTE_ADDR} lines from the code.
Now that you’ve set the IP restrictions, when an unauthorized user visits your site’s login page or the wp-admin page they’ll see your current theme’s 404 Error page.
If you follow the Gist, you’ll notice that the code caters for a redirect loop in the first two lines. You’ll have to change your-site's-path in line 1 and line 2 to the correct path of your site.
Some of you might have to grant login access to several users whether it’s because your site has many contributors or because you’re running a Multisite network. The fundamental fact is that there are several, dynamically changing IP addresses that need to login to your site’s dashboard.
Add the following code to the top of the .htaccess configuration file (Gist is also available).
Save the .htaccess configuration file.
To make code applicable to your site, substitute your-site’ in line 3 (line 7 in the Gist) with the URL to your WordPress site.
The Gist version of this code also caters for a redirect loop in the first two lines. You’ll have to change your-site's-path in line 1 and line 2 to the correct path of your site. By doing this a 404 Error page will be displayed if your site is thrown into a redirect loop.
This code restricts access to hackers who use brute force attacks to gain access to your WordPress site through bots. Hackers try to access your site externally. Adding this code to the .htaccess configuration file means that only visitors who navigate to the page via your actual site i.e. internally, will be able to access the site’s login page or wp-admin page.
There’s no one solution that will guarantee your site protection from every possible threat,. Setting IP restrictions to the WordPress login page will go a long way to protect your site from brute force attacks.
If you’d like more information on WordPress security, you can read Preventing Brute Force Attacks Against WordPress Websites by Narayan Prusty and Tim Carr’s 10 Tips to Secure WordPress.
Has your WordPress site ever faced a security threat? What measures do you take to protect your site from security threats? Let us know in the comments section below.
Rafay is an entrepreneur, computer scientist, and professional ghost-writer for several high-traffic websites. He provides byline and ghost-writing services for digital and brick-and-mortar businesses with a focus on web development, WordPress, and entrepreneurship.
© 2000 – 2024 SitePoint Pty. Ltd.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.