Technical
Security, WordPress

Restrict WordPress Admin Access to Specific IP Addresses on Apache Webservers

Craig Marolf
Web Developer and Marketing Strategist
Published on October 22, 2024
By Craig Marolf in Technical

Share

Blocking IP addresses in the .htaccess file is an effective way to restrict access to the wp-admin area of a WordPress site, enhancing security with minimal effort. This approach allows only specified IP addresses to access the wp-admin directory, effectively locking out unauthorized users.

Steps to Block IP Addresses Using .htaccess:

Access the .htaccess File:

  • The .htaccess file is located in the root directory of your WordPress installation. If it’s not there, you can create it.
  • Use an FTP client, a file manager in your hosting control panel, or a code editor to open and edit the .htaccess file.
<Files wp-login.php>
Order Deny,Allow
Deny from all
Allow from xxx.xxx.xxx.xxx
Allow from yyy.yyy.yyy.yyy
</Files>

<FilesMatch ".*">
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_URI} ^/wp-admin
    RewriteCond %{REMOTE_ADDR} !^xxx\.xxx\.xxx\.xxx$
    RewriteCond %{REMOTE_ADDR} !^yyy\.yyy\.yyy\.yyy$
    RewriteRule .* - [R=403,L]
</IfModule>
</FilesMatch>

Important Considerations:

  • Dynamic IP Addresses: If you or other authorized users have dynamic IP addresses, this method can be inconvenient as the IPs may change frequently. In such cases, consider using a VPN with a static IP or another security method.
  • Backup the .htaccess File: Before making any changes, it’s a good idea to back up the .htaccess file in case you need to revert your changes.
  • Compatibility: Ensure that the mod_rewrite module is enabled on your server, as the blocking rules rely on it.

Alternative Security Measures:

  • Two-Factor Authentication (2FA): Adding 2FA to your WordPress login page adds an extra layer of security without relying on IP blocking.
  • Limit Login Attempts: Use a plugin to limit the number of login attempts, which can reduce the risk of brute-force attacks.
  • Security Plugins: Plugins like Wordfence or Sucuri offer additional features for securing the wp-admin area, such as country blocking, firewall rules, and more.

Blocking IP addresses via the .htaccess file is a strong method to protect your WordPress admin area, especially when combined with other security measures.

Technical

Improve WordPress Admin UX by Making Post List Tables More Useful

Easy improvements to create a better user experience for WordPress users WordPress, famously, has

Read
Entertainment

10 Best Songs from 1990s MTV Unplugged Performances

MTV Unplugged was a popular television series created by MTV that featured musicians performing

Read
Concept

Polestar Precept Landing Page Concept with WordPress and Bricks

I recently created a landing page concept and baseline implementation for the exciting new

Read