Setting IP Restrictions for the WordPress Login Page

Key Takeaways

• Securing WordPress sites from hackers is essential, with one effective method being to limit access to pre-defined users by setting IP restrictions for the WordPress login page.
• IP restrictions can be set for both static and dynamic IP addresses, with the former being suitable for sites edited from few locations and the latter for sites edited from various locations due to multiple contributors or regular travel.
• Setting IP restrictions involves adding specific PHP code to the site’s .htaccess configuration file, which can be found in the site’s root directory; this code should be added to the top of the file to avoid disrupting existing site settings.
• While setting IP restrictions significantly enhances site security, it’s not a foolproof solution against all potential threats; other security measures, such as strong passwords, two-factor authentication, and regular updates to WordPress software and plugins, should also be employed.

According to a study conducted back in 2013, approximately 30,000 websites are hacked every day. It goes without saying that you need to take measures to protect your site from hackers.

Securing your own data is important, but letting your visitors know that their data is safe is even more so. A protected site is a credible site.

There are several methods you can adopt to lower the chances of your WordPress site from being hacked. Limiting access to a pre-defined set of users is one of them. In this article, we’ll walk you through a step-by-step procedure to set IP restrictions for the WordPress login page.

Before we move on to the tutorial, let’s quickly go over some WordPress security threats that your site faces.

WordPress Security Threats

Brute Force Login Attempts – When a hacker tries to access your site by attempting to log in using an extensive list of username-password combinations.

Login Information Confirmation – WordPress informs the user which part of the login credentials they’ve entered incorrectly. For instance, if your username is correct but password doesn’t match, WordPress will inform the user of it. This makes brute force attacks much, much easier.

WordPress Version – If a hacker finds out the version of WordPress you’re using they can use version-specific vulnerabilities to gain access to your site.

WordPress Global Registration – By default, WordPress does not allow users from all over the world to register with your site. This option should remain disabled as a preventive measure.

Access to Themes and Plugins – WordPress site owners give access to file editing functionality which may prove to be a security issue is your site is hacked, so it is generally advised against.

Let’s look at some preliminary steps that you need to take before altering your site’s files.

A Few Safety Measures

In this tutorial, we will be adding PHP code to the site’s .htaccess configuration file. As a precautionary measure, the first step is to backup the configuration file.

Some of you might also want to backup your entire site before you get started. Taking regular backups of your site is a good habit and should definitely be done before making any large-scale alterations to it. VaultPress is a great plugin that’ll get the job done.

Static IP Versus Dynamic IP

In this tutorial we’ll show you how you can restrict access to your WordPress site’s Dashboard on both static IP addresses and dynamic IP addresses.

The Static IP Address tutorial should be followed if you edit your site from your desktop or a few other locations. In this case, your IP address doesn’t change i.e. it remains static.

The Dynamic IP Address tutorial should be followed if your site is edited from several locations. Your IP address changes frequently if:

• Other team members access the website from different locations to edit it
• You use a mobile device to edit your website
• You travel regularly and need access to your site from different locations

Now that the basics out of the way, let’s get started.

Getting Started

The first step to setting IP restrictions to your WordPress login page is knowing what your IP address is. If you don’t already know, you can check it via sites like whatismyipaddress.com.

As we mentioned above, we’ll be making changes in the .htaccess configuration file. The second step is to locate your site’s .htaccess configuration file. The .htaccess configuration file is located in your site’s root directory. However, if you don’t have a .htaccess configuration file for some reason you can create one yourself. Login with cPanel or a FTP client and locate your file.

Once you’ve found it, step three is to find a suitable text editor so that you can add code to the configuration file. We recommend that you use cPanel’s built-in text editor or a desktop specific text editor (such as Notepad) to edit the .htaccess configuration file.

Note: All code will be added to the very top of the .htaccess configuration file to prevent the chances of messing up existing site settings.

Setting IP Restrictions Using Static IP Address

If your IP address doesn’t change frequently or if you access your site from a few, known IP addresses then you can set IP restrictions using the static IP address approach. In this tutorial, you’ll be able to create a safe IP list for those users (IP addresses) who access your WordPress site’s login page.

How to Set IP Restrictions Using Static IP Address

• Open your site’s .htaccess configuration file in cPanel (or any text editor).

• Add the following code to the top of the .htaccess configuration file (Gist is also available).

  RewriteEngine on
  
      RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
  
      RewriteCond %{REMOTE_ADDR} !^12\.345\.678\.90
  
      RewriteCond %{REMOTE_ADDR} !^IP Address InsertTwo$
  
      RewriteCond %{REMOTE_ADDR} !^IP Address InsertThree$
  
  RewriteRule ^(.*)$ - [R=403,L]
  

• Save the .htaccess configuration file.

Editing the Code

All you have to do now is edit line 4 and line 5 (line 9 and line 10 in the Gist) and add the IP addresses that are permitted to access the WordPress login page. To do this, replace IP Address InsertTwo$ and IP Address InsertThree$ with the IP address you want to grant login address to. The IP address you give should be in the format specified in line 3 (line 8 in the Gist).

Adding or Removing Authorized Users

If you’d like to grant login access to more IP addresses you can simply copy-paste RewriteCond %{REMOTE_ADDR} !^IP Address Insert$ and insert the IP address in place of IP Address Insert$. Similarly, if you’d like to grant access to only one or two, then remove the extra RewriteCond %{REMOTE_ADDR} lines from the code.

What Happens When an Unauthorized User Visits the Page?

Now that you’ve set the IP restrictions, when an unauthorized user visits your site’s login page or the wp-admin page they’ll see your current theme’s 404 Error page.

If you follow the Gist, you’ll notice that the code caters for a redirect loop in the first two lines. You’ll have to change your-site's-path in line 1 and line 2 to the correct path of your site.

Setting IP Restrictions Using a Dynamic IP Address

Some of you might have to grant login access to several users whether it’s because your site has many contributors or because you’re running a Multisite network. The fundamental fact is that there are several, dynamically changing IP addresses that need to login to your site’s dashboard.

How to Set IP Restrictions Using a Dynamic IP Address

• Open your site’s .htaccess configuration file in cPanel (or any text editor).

• Add the following code to the top of the .htaccess configuration file (Gist is also available).

      RewriteEngine on
  
      RewriteCond %{REQUEST_METHOD} POST
  
      RewriteCond %{HTTP_REFERER} !^http://(.*)?your-site's-name.com [NC]
  
      RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
  
      RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
  
  RewriteRule ^(.*)$ - [F]
  

• Save the .htaccess configuration file.

Editing the Code

To make code applicable to your site, substitute your-site’s-name.com in line 3 (line 7 in the Gist) with the URL to your WordPress site.

The Gist version of this code also caters for a redirect loop in the first two lines. You’ll have to change your-site's-path in line 1 and line 2 to the correct path of your site. By doing this a 404 Error page will be displayed if your site is thrown into a redirect loop.

Code’s Functionality

This code restricts access to hackers who use brute force attacks to gain access to your WordPress site through bots. Hackers try to access your site externally. Adding this code to the .htaccess configuration file means that only visitors who navigate to the page via your actual site i.e. internally, will be able to access the site’s login page or wp-admin page.

Wrapping It Up

There’s no one solution that will guarantee your site protection from every possible threat,. Setting IP restrictions to the WordPress login page will go a long way to protect your site from brute force attacks.

If you’d like more information on WordPress security, you can read Preventing Brute Force Attacks Against WordPress Websites by Narayan Prusty and Tim Carr’s 10 Tips to Secure WordPress.

Has your WordPress site ever faced a security threat? What measures do you take to protect your site from security threats? Let us know in the comments section below.

Frequently Asked Questions (FAQs) on Setting IP Restrictions to the WordPress Login Page