Are you concerned about the security of your WordPress admin area? If you manage a small team, one effective strategy is to restrict access exclusively to the IP addresses used by team members. In this guide, we’ll walk you through the process step by step.
Why Restrict WordPress Admin Access by IP Address?
Running a WordPress site requires prioritizing security. While WordPress itself is secure, additional measures can safeguard your site against hackers and malicious attacks. Hackers can not only disrupt your website but also compromise sensitive data, distribute malware to your visitors, and damage your site’s reputation.
One proactive security measure is to limit access to your WordPress admin area (wp-admin) and login page solely to specific IP addresses used by trusted team members. This way, even if a hacker gains access to usernames and passwords, they won’t be able to log in from unauthorized locations.
Instead, they’ll encounter a ‘Forbidden’ error message, denying them access to sensitive backend functions.
How to Restrict WordPress Admin Access by IP Address
Step 1: Compile a List of IP Addresses
Begin by compiling a list of IP addresses that your team members use to connect to your WordPress site. If team members work from multiple locations, gather the IP addresses for each location. They can easily find their IP address by visiting websites like SupportAlly.
Step 2: Access and Edit Your .htaccess File
To implement IP address restrictions, you’ll need to access your website’s server files using an FTP client or your hosting provider’s file manager. If you’re new to FTP, refer to our guide on uploading files to WordPress via FTP.
Navigate to the /wp-admin/
folder on your server. Look for the .htaccess
file; it might be hidden, so ensure your FTP client shows hidden files.
- If the
.htaccess
file doesn’t exist, create a new file named.htaccess
within the/wp-admin/
folder. - Warning: Avoid editing your site’s root
.htaccess
file to prevent inadvertently blocking access to your site’s frontend.
Before making changes, download a backup of the .htaccess
file to your computer.
Step 3: Apply IP Address Restrictions
Edit the .htaccess
file and insert the following code snippet:
"<LIMIT GET>
order deny,allow
deny from all
# whitelist IP address
allow from xxx.xxx.xxx.xxx
# whitelist 2 IP address
allow from xxx.xxx.xxx.xxx
# whitelist 3 IP address
allow from xxx.xxx.xxx.xxx
# whitelist 4 IP address
allow from xxx.xxx.xxx.xxx
# whitelist 5 IP address
allow from xxx.xxx.xxx.xxx
</LIMIT>
Replace
with the IP addresses from your list. This configuration ensures only specified IP addresses can access the WordPress admin area.xxx.xxx.xxx.xxx
Save the .htaccess
file. Note that if your IP address changes or you need to access your site from a new location, you’ll need to update the .htaccess
file accordingly to avoid being locked out.
Implementing these steps will enhance the security of your WordPress admin area by limiting access to authorized IP addresses only, reducing the risk of unauthorized access and potential security breaches.