How to Secure Your WordPress Admin Area by Restricting Access to Trusted IP Addresses

As a responsible WordPress site owner, securing your admin dashboard should be a top priority. Why? Because the unfortunate reality is that WordPress sites are a constant target for hackers looking to exploit vulnerabilities.

Navi.

Consider these sobering statistics:

  • Over 70% of WordPress installations are vulnerable to attack (Forbes)
  • WordPress sites are attacked 44 times per day on average (Websitebuilder.org)
  • 90,978 attacks happen per minute on WordPress sites globally (Hostingtribunal.com)

If a hacker were to gain unauthorized access to your WordPress admin account, the consequences could be catastrophic:

  • Your site could be defaced or taken offline completely
  • Sensitive customer data like names, emails, and addresses could be stolen
  • Your site could be injected with malware that infects visitors‘ devices
  • Your server could be hijacked into a botnet for DDoS attacks or crypto mining
  • Your SEO rankings could tank due to spam content or malicious redirects

The bottom line? An ounce of prevention is worth a pound of cure when it comes to WordPress security. While no single tactic is 100% foolproof, putting multiple layers of protection in place (aka "defense in depth") will greatly reduce the risk and impact of an admin account compromise.

One highly effective access control method is to restrict WordPress admin access by IP address. By allowing only specific pre-approved IP addresses to even reach the WordPress admin login page, you instantly block the vast majority of malicious login attempts before they start.

How IP Address Restriction Works

Let‘s briefly go over some networking basics to understand how IP restriction accomplishes this. Every device connected to the internet (computer, smartphone, server, etc.) is assigned a unique numerical identifier called an IP (Internet Protocol) address. Much like a physical street address, IP addresses are used to route data to and from specific devices.

When you log in to your WordPress admin area, that login request gets sent from your device‘s IP address to your web server. On Apache web servers (which host the majority of WordPress sites), a configuration file called .htaccess has the ability to allow or block web requests based on the originating IP address.

By specifying a whitelist of allowed admin IPs in your .htaccess file, any login requests coming from an IP not on that trusted list will be automatically denied at the server level. Goodbye, brute force attacks and password guessing!

Here‘s a visual representation of how the process works:

WordPress Admin IP Restriction Flowchart

This approach is best suited for sites where only a small group of people need admin access, such as business websites, blogs with a single author, or client sites maintained by a freelancer or agency. The more static the IP addresses are the better, as constantly changing IPs will require frequent .htaccess updates.

Step-by-Step Implementation Guide

Ready to armor up your WordPress admin security with IP address restrictions? Here‘s a complete walkthrough of how to implement this on your site:

Step 1: Make a List of Allowed Admin IP Addresses

First you‘ll need to gather the IP addresses of every person (including yourself) who will need to access the WordPress admin area. If everyone connects from a single office network, this will be easy.

However, if your team is distributed or works remotely, each person may have multiple IPs to account for (home, office, co-working space, coffee shop wifi, mobile network, VPN, etc). Have everyone visit WhatIsMyIP.com from each location they typically work from and send you the displayed addresses.

Pro tip: Create a spreadsheet to keep track of who is associated with each IP in case you need to update or remove access for someone in the future.

Step 2: Locate Your WordPress .htaccess File

The next step is to find the .htaccess configuration file located in your WordPress site‘s root directory on your web hosting server. How you access this depends on your hosting setup:

  • cPanel: Log in and open the File Manager tool. Navigate to your WordPress directory (often called public_html or www) and enable the option to "Show Hidden Files (dotfiles)". You should then see the .htaccess file.
  • FTP: Connect to your server using an FTP client like FileZilla. Browse to your WordPress directory and make sure you‘ve enabled the option to show hidden files. Download a copy of .htaccess to your computer to edit and keep as a backup.
  • SSH: Connect to your server via SSH and use the command-line text editor of your choice (nano, vim, etc.) to open .htaccess in your WordPress directory.

If your WordPress site doesn‘t have an .htaccess file already, you can create a new empty file and name it .htaccess (including the dot at the beginning).

Step 3: Add IP Restriction Code to .htaccess

Once you have your .htaccess file downloaded or opened for editing, add the following lines of code to the very top of the file:

# Block access to wp-admin by default
<FilesMatch ".*">
Order Allow,Deny
Deny from all
</FilesMatch>

# Allow only specific IPs
<FilesMatch ".*">
Order Deny,Allow
Allow from xx.xx.xx.xxx
Allow from xx.xx.xx.yyy 
Allow from xx.xx.xx.zzz
</FilesMatch>

Replace the xx.xx.xx.xxx, xx.xx.xx.yyy, and xx.xx.xx.zzz placeholders with the actual IP addresses you want to allow, one per line. You can add as many Allow from lines as you need.

This code snippet does the following:

  1. The first <FilesMatch> block denies access to wp-admin from all IP addresses by default
  2. The second <FilesMatch> block overrides that by allowing specific whitelisted IPs

The Order directive specifies which rules take precedence if both Allow and Deny apply to a request. We‘ve set it to Deny,Allow so that the Allow exceptions are honored after the initial Deny.

Pro tip: Take special care to triple-check that you entered your own IP address correctly before saving the file. If you accidentally lock yourself out, you‘ll need server file access (via FTP, hosting panel, etc.) to undo the changes.

Once you‘ve added your allowed IPs, save the file. If you downloaded the file locally to edit, re-upload it to your server, overwriting the existing .htaccess file in your WordPress directory.

The changes will take effect immediately without needing to restart your web server. Give it a test by logging in to wp-admin from an allowed IP, and also trying from a non-whitelisted IP (you can use your smartphone with wifi turned off to test with a different IP).

Additional Security Best Practices

As mentioned earlier, IP restrictions alone aren‘t a complete security solution. For maximum WordPress admin protection, combine IP whitelisting with these other hardening best practices:

  • Use strong passwords and force all admins to do the same. Consider implementing a password manager to ensure use of unique, high-strength passwords. (Beginner‘s Guide to Password Managers)
  • Enable two-factor authentication (2FA) for all admin logins. This requires an additional time-based code or physical token for login, even if the password is compromised. (Complete Guide to WordPress Two-Factor Authentication)
  • Limit login attempts to prevent brute force attacks. After a certain number of failed logins, the IP gets blocked for a period of time. (Login Lockdown plugin)
  • Keep WordPress core, plugins and themes updated. New security patches come out frequently, so enable auto-updates or use a service like ManageWP to stay on top of updates.
  • Install an SSL certificate and force HTTPS on all pages. This encrypts login credentials and other sensitive data transmitted between browsers and your server. Many hosts now offer free SSL through Let‘s Encrypt.
  • Regularly back up your WordPress database and files. Store backups offsite so you can quickly restore your site if something does go wrong. Services like VaultPress, BackupBuddy or UpdraftPlus can automate this for you.

Frequently Asked Questions

Still have questions about implementing IP restrictions on your WordPress site? Here are answers to some common concerns and edge cases:

What if I don‘t have a static IP address?

This is a very common issue, especially for home offices or remote workers. Many ISPs assign dynamic IP addresses that can change at any time, especially after a modem reboot. Some possible workarounds:

  • Check with your ISP about upgrading to a static IP address. There‘s usually an additional monthly charge for this, but it may be worth it if you need reliable admin access.
  • Set up a VPN (virtual private network) with a static IP that all your admins can connect to. TeamViewer provides an easy way to do this.
  • Whitelist entire IP ranges if you know the subnets your team‘s IPs belong to. For example, allowing 192.168.1.0/24 will whitelist all IPs between 192.168.1.1 and 192.168.1.254.
  • Instead of (or in addition to) IP restrictions, require admin logins to use HTTPS client certificates. This is a more advanced two-factor authentication method not tied to IPs.

Will IP restriction affect normal visitors to my WordPress site?

No, the code snippet above only affects the wp-admin directory where your WordPress dashboard lives. Regular visitors to your homepage and other content pages will be unaffected. You can even add an exception to allow public access to wp-login.php for subscriber-level user logins.

Should I use a plugin instead of .htaccess?

There are several WordPress security plugins like iThemes Security and Wordfence that offer similar IP whitelisting/blacklisting functionality. While these can work in a pinch, it‘s generally more secure and efficient to block at the server level with .htaccess rather than adding another (potentially vulnerable) WordPress plugin.

The .htaccess method will block unauthorized users before WordPress itself loads, reducing server load. That said, security plugins offer other helpful features like malware scanning and 2FA, so it‘s not necessarily an either/or choice.

Can I access wp-admin if I‘m using a VPN or Tor?

Yes, simply whitelist the IP address of your VPN server or Tor exit node. Keep in mind these may change frequently. Some VPN providers like NordVPN offer dedicated static IPs as an add-on.

Conclusion

Securing your WordPress site is an ongoing process, not a one-time event. But implementing even basic access controls like IP address restrictions can go a long way toward hardening your admin area against unauthorized intrusion.

By allowing only trusted IPs to access wp-admin, you add an extra layer of protection that blocks most automated attacks and casual hacking attempts. No security method is 100% foolproof, but IP whitelisting combined with strong password hygiene, two-factor authentication and regular updates will exponentially reduce your risk.

So take control of your WordPress security today. A few minutes of prevention can save you countless hours of headache (and possibly thousands of dollars) cleaning up a hacked site down the road.

Stay safe out there!

Did you like this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

WordPress Layout Terms Demystified (2024 Quick Reference)
The Complete Guide to Limiting Comment Length in WordPress (2024)
The Easy Way to Create a High-Converting Request a Quote Form in WordPress (2023)
How to Host a Virtual Event in WordPress (Step by Step)
Choosing the Best Web Host for WordPress
What is Metadata in WordPress? The Beginner‘s Guide (2023)
How PHP Updates from Your Web Host Can Make or Break Your WordPress Site
7 Ways to Spread the Holiday Spirit With Your WordPress Site