Setting IP Restrictions for the WordPress Login Page

Share this article

Setting IP Restrictions for the WordPress Login Page

Key Takeaways

  • Securing WordPress sites from hackers is essential, with one effective method being to limit access to pre-defined users by setting IP restrictions for the WordPress login page.
  • IP restrictions can be set for both static and dynamic IP addresses, with the former being suitable for sites edited from few locations and the latter for sites edited from various locations due to multiple contributors or regular travel.
  • Setting IP restrictions involves adding specific PHP code to the site’s .htaccess configuration file, which can be found in the site’s root directory; this code should be added to the top of the file to avoid disrupting existing site settings.
  • While setting IP restrictions significantly enhances site security, it’s not a foolproof solution against all potential threats; other security measures, such as strong passwords, two-factor authentication, and regular updates to WordPress software and plugins, should also be employed.

According to a study conducted back in 2013, approximately 30,000 websites are hacked every day. It goes without saying that you need to take measures to protect your site from hackers.

Securing your own data is important, but letting your visitors know that their data is safe is even more so. A protected site is a credible site.

There are several methods you can adopt to lower the chances of your WordPress site from being hacked. Limiting access to a pre-defined set of users is one of them. In this article, we’ll walk you through a step-by-step procedure to set IP restrictions for the WordPress login page.

WordPress Login Page

Before we move on to the tutorial, let’s quickly go over some WordPress security threats that your site faces.

WordPress Security Threats

Brute Force Login Attempts – When a hacker tries to access your site by attempting to log in using an extensive list of username-password combinations.

Login Information Confirmation – WordPress informs the user which part of the login credentials they’ve entered incorrectly. For instance, if your username is correct but password doesn’t match, WordPress will inform the user of it. This makes brute force attacks much, much easier.

WordPress Version – If a hacker finds out the version of WordPress you’re using they can use version-specific vulnerabilities to gain access to your site.

WordPress Global Registration – By default, WordPress does not allow users from all over the world to register with your site. This option should remain disabled as a preventive measure.

Access to Themes and Plugins – WordPress site owners give access to file editing functionality which may prove to be a security issue is your site is hacked, so it is generally advised against.

Let’s look at some preliminary steps that you need to take before altering your site’s files.

A Few Safety Measures

In this tutorial, we will be adding PHP code to the site’s .htaccess configuration file. As a precautionary measure, the first step is to backup the configuration file.

Some of you might also want to backup your entire site before you get started. Taking regular backups of your site is a good habit and should definitely be done before making any large-scale alterations to it. VaultPress is a great plugin that’ll get the job done.

Static IP Versus Dynamic IP

In this tutorial we’ll show you how you can restrict access to your WordPress site’s Dashboard on both static IP addresses and dynamic IP addresses.

The Static IP Address tutorial should be followed if you edit your site from your desktop or a few other locations. In this case, your IP address doesn’t change i.e. it remains static.

The Dynamic IP Address tutorial should be followed if your site is edited from several locations. Your IP address changes frequently if:

  • Other team members access the website from different locations to edit it
  • You use a mobile device to edit your website
  • You travel regularly and need access to your site from different locations

Now that the basics out of the way, let’s get started.

Getting Started

The first step to setting IP restrictions to your WordPress login page is knowing what your IP address is. If you don’t already know, you can check it via sites like whatismyipaddress.com.

As we mentioned above, we’ll be making changes in the .htaccess configuration file. The second step is to locate your site’s .htaccess configuration file. The .htaccess configuration file is located in your site’s root directory. However, if you don’t have a .htaccess configuration file for some reason you can create one yourself. Login with cPanel or a FTP client and locate your file.

Once you’ve found it, step three is to find a suitable text editor so that you can add code to the configuration file. We recommend that you use cPanel’s built-in text editor or a desktop specific text editor (such as Notepad) to edit the .htaccess configuration file.

Note: All code will be added to the very top of the .htaccess configuration file to prevent the chances of messing up existing site settings.

Setting IP Restrictions Using Static IP Address

If your IP address doesn’t change frequently or if you access your site from a few, known IP addresses then you can set IP restrictions using the static IP address approach. In this tutorial, you’ll be able to create a safe IP list for those users (IP addresses) who access your WordPress site’s login page.

How to Set IP Restrictions Using Static IP Address

  • Open your site’s .htaccess configuration file in cPanel (or any text editor).
  • Add the following code to the top of the .htaccess configuration file (Gist is also available).

    RewriteEngine on
    
        RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
    
        RewriteCond %{REMOTE_ADDR} !^12\.345\.678\.90
    
        RewriteCond %{REMOTE_ADDR} !^IP Address InsertTwo$
    
        RewriteCond %{REMOTE_ADDR} !^IP Address InsertThree$
    
    RewriteRule ^(.*)$ - [R=403,L]
    
  • Save the .htaccess configuration file.

Editing the Code

All you have to do now is edit line 4 and line 5 (line 9 and line 10 in the Gist) and add the IP addresses that are permitted to access the WordPress login page. To do this, replace IP Address InsertTwo$ and IP Address InsertThree$ with the IP address you want to grant login address to. The IP address you give should be in the format specified in line 3 (line 8 in the Gist).

Adding or Removing Authorized Users

If you’d like to grant login access to more IP addresses you can simply copy-paste RewriteCond %{REMOTE_ADDR} !^IP Address Insert$ and insert the IP address in place of IP Address Insert$. Similarly, if you’d like to grant access to only one or two, then remove the extra RewriteCond %{REMOTE_ADDR} lines from the code.

What Happens When an Unauthorized User Visits the Page?

Now that you’ve set the IP restrictions, when an unauthorized user visits your site’s login page or the wp-admin page they’ll see your current theme’s 404 Error page.

If you follow the Gist, you’ll notice that the code caters for a redirect loop in the first two lines. You’ll have to change your-site's-path in line 1 and line 2 to the correct path of your site.

Setting IP Restrictions Using a Dynamic IP Address

Some of you might have to grant login access to several users whether it’s because your site has many contributors or because you’re running a Multisite network. The fundamental fact is that there are several, dynamically changing IP addresses that need to login to your site’s dashboard.

How to Set IP Restrictions Using a Dynamic IP Address

  • Open your site’s .htaccess configuration file in cPanel (or any text editor).
  • Add the following code to the top of the .htaccess configuration file (Gist is also available).

        RewriteEngine on
    
        RewriteCond %{REQUEST_METHOD} POST
    
        RewriteCond %{HTTP_REFERER} !^http://(.*)?your-site's-name.com [NC]
    
        RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
    
        RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
    
    RewriteRule ^(.*)$ - [F]
    
  • Save the .htaccess configuration file.

Editing the Code

To make code applicable to your site, substitute your-site’s-name.com in line 3 (line 7 in the Gist) with the URL to your WordPress site.

The Gist version of this code also caters for a redirect loop in the first two lines. You’ll have to change your-site's-path in line 1 and line 2 to the correct path of your site. By doing this a 404 Error page will be displayed if your site is thrown into a redirect loop.

Code’s Functionality

This code restricts access to hackers who use brute force attacks to gain access to your WordPress site through bots. Hackers try to access your site externally. Adding this code to the .htaccess configuration file means that only visitors who navigate to the page via your actual site i.e. internally, will be able to access the site’s login page or wp-admin page.

Wrapping It Up

There’s no one solution that will guarantee your site protection from every possible threat,. Setting IP restrictions to the WordPress login page will go a long way to protect your site from brute force attacks.

If you’d like more information on WordPress security, you can read Preventing Brute Force Attacks Against WordPress Websites by Narayan Prusty and Tim Carr’s 10 Tips to Secure WordPress.

Has your WordPress site ever faced a security threat? What measures do you take to protect your site from security threats? Let us know in the comments section below.

Frequently Asked Questions (FAQs) on Setting IP Restrictions to the WordPress Login Page

What are the benefits of setting IP restrictions to the WordPress login page?

Setting IP restrictions to your WordPress login page significantly enhances the security of your website. By limiting access to specific IP addresses, you reduce the risk of unauthorized access, brute force attacks, and hacking attempts. This is particularly beneficial for websites that contain sensitive information. Additionally, IP restrictions can help manage traffic to your site, reducing the load on your server and improving site performance.

How can I find my IP address to set up restrictions?

You can easily find your IP address by doing a quick search on Google for “What is my IP address”. The result will show your public IP address. You can then use this IP address to set up restrictions on your WordPress login page.

Can I set IP restrictions for multiple users?

Yes, you can set IP restrictions for multiple users. You simply need to know the IP addresses of the users you want to grant access to. You can then add these IP addresses to the .htaccess file in your WordPress directory.

What happens if I accidentally block my own IP address?

If you accidentally block your own IP address, you will not be able to access your WordPress login page. To resolve this, you will need to access your site’s files via an FTP client or your hosting provider’s file manager and remove your IP address from the .htaccess file.

Can I still access my site from different locations if I set IP restrictions?

If you set IP restrictions, you will only be able to access your WordPress login page from the IP addresses you have specified. If you need to access your site from different locations, you will need to add the IP addresses of these locations to the .htaccess file.

Is setting IP restrictions the only way to secure my WordPress login page?

While setting IP restrictions is a highly effective way to secure your WordPress login page, it is not the only method. Other security measures include using strong passwords, enabling two-factor authentication, and regularly updating your WordPress software and plugins.

What if my IP address changes?

If your IP address changes, you will need to update the .htaccess file with your new IP address. If you have a dynamic IP address that changes frequently, you may want to consider using a different method to secure your WordPress login page.

Can I set IP restrictions on a WordPress.com site?

No, you cannot set IP restrictions on a WordPress.com site. This feature is only available for self-hosted WordPress sites.

How can I remove IP restrictions from my WordPress login page?

To remove IP restrictions, you will need to access your .htaccess file and remove the lines of code that set the restrictions. Be sure to save the changes and clear your site’s cache to ensure the changes take effect.

Can I set IP restrictions for specific pages on my WordPress site?

Yes, you can set IP restrictions for specific pages on your WordPress site. You will need to modify the .htaccess file in the directory of the specific page you want to restrict.

Rafay Saeed AnsariRafay Saeed Ansari
View Author

Rafay is an entrepreneur, computer scientist, and professional ghost-writer for several high-traffic websites. He provides byline and ghost-writing services for digital and brick-and-mortar businesses with a focus on web development, WordPress, and entrepreneurship.

ChrisBsecurityWordPressWordPress Securitywp-admin
Share this article
Read Next
Get the freshest news and resources for developers, designers and digital creators in your inbox each week