Last updated on November 7th, 2023 at 08:02 pm

If you only administer your site from a few locations (or less), it's easy to restrict access to wp-admin to your own IP address.

Technology Word Cloud on Dark Background

Protecting the wp-admin directory in your WordPress website is one of the most important security steps you can take. If you only administer your site from a few locations (or less), it’s easy to restrict access to wp-admin to your own IP address.

Determine the Allowed IP Addresses

First you must figure out the IP addresses you want to access your WordPress Admin dashboard from.

To do this, simply type “what is my ip address” into Google from the computers you plan on using. This will return your public IP address.

What is My IP

If you typically work on your WordPress websites from home, keep in mind that most home Internet Service Providers don’t assign static IP addresses. Your IP address will eventually change and you’ll have to go back and modify the setting we’re about to change in the next session.

If you’re working from a business office, chances are the IP address will never change.

Modifying the .htaccess File

Your .htaccess file can be accessed either by FTP to your web hosting company or through the File Manager in cPanel.

Open your .htaccess file and add the following lines of code to the top while changing the 192\.168\.1\1 to match the IP addresses you wish to access your wp-admin directory from.

# BEGIN wp-admin restriction based on IP address
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.1$
RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.1$
RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.1$
RewriteRule ^(.*)$ - [R=403,L]
# END IP restriction

The above example has 3 lines for different IP addresses, but if you only had one IP address you wanted to whitelist, you could delete the other two lines.

Additionally, you could add more lines to whitelist more IPs. In theory, there’s no limit to the number of IPs you could add to the list.

Special Considerations

Depending on which plugins you use on your site, it’s possible you may also need to add your site’s own IP address into the whitelist as well.

This is because some applications call back anonymously to the wp-admin portion of their own site. Central management dashboards such as MainWP do this as part of their normal operation. Without the site’s own IP in the whitelist, these callbacks will fail.

Restricting wp-admin Access: Conclusion

Obviously, restricting wp-admin by IP isn’t the end all of WordPress security. There are plenty of other things you should be doing to lock down your websites.

However, it’s important as part of a comprehensive security plan.

Sharif Jameel is a business owner, IT professional, runner, & musician. His professional certifications include CASP, Sec+, Net+, MCSA, & ITIL and others. He’s also the guitar player for the Baltimore-based cover bands, Liquifaction and Minority Report.

Leave a Comment

Your email address will not be published. Required fields are marked *

Subscribe to Our Mailing List

If you found the information in this post helpful, we'd love to have you join our mailing list. We promise we won't spam you, we only send out emails once a month or less.

You May Also Like:

This site requires the use of cookies to ensure you get the best experience.

Scroll to Top
Available for Amazon Prime