Last updated on May 11th, 2024 at 11:23 pm
If you only administer your site from a few locations (or less), it's easy to restrict access to wp-admin to your own IP address.
Image by Naji Habib on Pixabay
This post may contain affiliate links. We may earn a commission if you purchase an item through our links. It costs you nothing and helps us to fund this blog. Please see our Affiliate Disclosure & Notification for details.
Protecting the wp-admin directory in your WordPress website is one of the most important security steps you can take. If you only administer your site from a few locations (or less), it’s easy to restrict access to wp-admin to your own IP address.
Determine the Allowed IP Addresses
First you must figure out the IP addresses you want to access your WordPress Admin dashboard from.
To do this, simply type “what is my ip address” into Google from the computers you plan on using. This will return your public IP address.
If you typically work on your WordPress websites from home, keep in mind that most home Internet Service Providers don’t assign static IP addresses. Your IP address will eventually change and you’ll have to go back and modify the setting we’re about to change in the next session.
If you’re working from a business office, chances are the IP address will never change.
Modifying the .htaccess File
Your .htaccess file can be accessed either by FTP to your web hosting company or through the File Manager in cPanel.
Open your .htaccess file and add the following lines of code to the top while changing the 192\.168\.1\1 to match the IP addresses you wish to access your wp-admin directory from.
# BEGIN wp-admin restriction based on IP address
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.1$
RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.1$
RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.1$
RewriteRule ^(.*)$ - [R=403,L]
# END IP restrictionThe above example has 3 lines for different IP addresses, but if you only had one IP address you wanted to whitelist, you could delete the other two lines.
Additionally, you could add more lines to whitelist more IPs. In theory, there’s no limit to the number of IPs you could add to the list.
Special Considerations
Depending on which plugins you use on your site, it’s possible you may also need to add your site’s own IP address into the whitelist as well.
This is because some applications call back anonymously to the wp-admin portion of their own site. Central management dashboards such as MainWP do this as part of their normal operation. Without the site’s own IP in the whitelist, these callbacks will fail.
Restricting wp-admin Access: Conclusion
Obviously, restricting wp-admin by IP isn’t the end all of WordPress security. There are plenty of other things you should be doing to lock down your websites.
However, it’s important as part of a comprehensive security plan.
Sharif Jameel is a business owner, IT professional, runner, & musician. His professional certifications include CASP, Sec+, Net+, MCSA, & ITIL and others. He’s also the guitar player for the Baltimore-based cover bands, Liquifaction and Minority Report.
Subscribe to Our Mailing List
If you found the information in this post helpful, we'd love to have you join our mailing list. We promise we won't spam you, we only send out emails once a month or less.