Table of Contents[Hide][Show]
If you’re running a WordPress website, security becomes a major concern for most of the website owners. Especially, who are new to WordPress and managing everything on their own.
In this article, on how to restrict WordPress admin access by IP address, I’ve outlined everything you need to know to help you secure your website.
Many websites contain valuable data, such as customer information, financial information, and intellectual property. This data can be very valuable to hackers, which makes websites a lucrative target.
A data breach can become a big-time headache for a website owner. In addition to the cost of repairing the damage, website owners may also face legal penalties and loss of customers.
Considering the increasing number of cyberattacks, this article can be a great resource for you to help you secure your WordPress website.
You may also like:
- 15 WordPress Security Tips: Prevent WordPress XMLRPC Attacks
- How to Secure Nginx Server with Fail2Ban on Ubuntu Server
Importance of Restricting WordPress Admin Access
To protect your website from unauthorized access
If someone gains access to your WordPress admin area, they can do anything they want to your website, including changing your content, deleting your files, or even installing malware. By restricting access to your admin area, you can make it much more difficult for unauthorized users to gain access to your website.
To improve your website’s security
One of the most common ways that hackers gain access to websites is by guessing passwords. By restricting access to your admin area, you can reduce the number of people who have access to your passwords, which makes it more difficult for hackers to guess them.
To improve your website’s performance
When you have a lot of users accessing your admin area, it can put a strain on your website’s resources. By restricting access to your admin area, you can reduce the number of users who are accessing it, which can improve your website’s performance.
To improve your website’s privacy
If you have sensitive information on your website, such as customer data or financial information, you need to take steps to protect it. By restricting access to your admin area, you can help to protect this information from unauthorized access.
How to Restrict WordPress Admin Access by IP Address
To restrict WordPress admin access by IP address, follow the following steps:
Step 1: Make a List of IP Addresses
First of all, you need to make a list of IP addresses that you and your team will be using to access the WordPress admin area.
There are several ways of finding these IP addresses. Here are a few methods:
Using a web browser
Open a web browser and go to a website that displays your IP address, such as WhatIsMyIPAddress.com and SupportAlly.
Your IP address will be displayed on the website.
Using the command prompt
Open the command prompt in Windows OS and type the following command and press Enter:
ipconfig /all
If you’re on Mac, open the Terminal app, type the following command, and hit return:
ipconfig getifaddr en0
Step 2: Back Up the .htaccess or Nginx Virtual Host File
To restrict the WordPress admin area, we need to adjust the configuration of the .htaccess file.
If you make any changes to the .htaccess file incorrectly, it can break your website. That’s why it’s always recommended to back up the .htaccess file before making any changes.
Using a file manager
- Log in to your hosting account and access your file manager.
- Go to the /public_html/ folder.
- Right-click on the .htaccess file and select “Download”.
Using an SFTP client
- Connect to your hosting account using an FTP client.
- Go to the
/public_html/folder. - Right-click on the
.htaccessfile and select “Download”
Note: If you’re using Nginx, back up the Nginx Virtual host file inside the /etc/nginx/sites-available/ directory.
Step 3: Allow Access to the WordPress Admin Area from Specific IPs
For Apache
Here are the steps on how to restrict WordPress admin access by IP address using .htaccess:
- Log in to your hosting account and access your file manager.
- Create a new file called .htaccess.
- Insert this code into the
wp-admin/.htaccessfile
order deny,allow allow from x.x.x.x deny from all
Replace x.x.x.x with your IP address.
You need to add new “allow” lines to your .htaccess file if you want to sanction access for multiple admins. Here is an example of how you would do this:
order deny,allow allow from x.x.x.x allow from xx.xx.xx.xx allow from xxx.xx.xx.xx allow from xx.xxx.xxx.xx deny from all
This code will block all calls to the /admin/login page, but it will allow access to the IP addresses x.x.x.x, xx.xx.xx.xx, xxx.xx.xx.xx and xx.xxx.xxx.xx.
After you have saved the .htaccess file, you need to test the changes. You can do this by trying to access the /admin/login page in your browser.
If you are able to access the page from the IP addresses that you have specified, then the code has worked successfully.
If you’re using Nginx on Linode, Digital Ocean, Vultr, or AWS (Through SSH)
If you’re on Nginx, restricting the WordPress admin area can be a bit tricky. However, it is very flexible and once you understand this, you would love working on Nginx.
While explaining this, I consider that you already know the location of your Nginx virtual host file. Moreover, you have a little understanding of the Nginx blocks.
Log in to your server using the SSH credentials and navigate to the virtual host directory by running the following command:
cd /etc/nginx/sites-available/
This is a default Nginx directory where your virtual host file must be stored by default.
As we move further, edit the virtual host file by running the following command:
sudo vim example.com
Replace example.com with your website address or the name of the virtual host that you gave while configuring WordPress.
The virtual host of a WordPress configuration should have a location block that looks something like this:
location ~ \.php$ {
include fastcgi.conf;
fastcgi_intercept_errors on;
fastcgi_pass unix:/run/php/php8.1-fpm.sock;
}
Note: The PHP version may vary in the location block depending on the version you have installed on your server.
Now, modify the location block so that it now looks like the one below:
location ~ \.php$ {
location ~ \wp-login.php$ {
allow x.x.x.x;
deny all;
include fastcgi.conf;
fastcgi_intercept_errors on;
fastcgi_pass unix:/run/php/php8.1-fpm.sock;
}
include fastcgi.conf;
fastcgi_intercept_errors on;
fastcgi_pass unix:/run/php/php8.1-fpm.sock;
}
As you can see the location block now have a allow directive that lets the IP address x.x.x.x access the wp-login.php script.
Replace x.x.x.x with the IP address with which you want to access the WordPress admin area.
Once you have saved the Nginx configuration file, you need to test the changes. You can do this by trying to access the WordPress admin area from the IP address that you have specified.
If you are able to access the admin area, then the code has worked successfully.
Step 4: Block certain IP addresses from logging into your WordPress Admin Area
Similar to authorizing any particular IP address to access your WordPress admin section, you can block certain IP addresses from login into your WordPress admin area as well.
Malicious bots can be a real nuisance, but they can be easily blocked by checking your log file. Here are the steps on how to do it:
- Log in to your hosting account and access your log file (The log file is usually located in the
/var/log/directory on your hosting server). - Look for the entries that show failed login attempts.
- Identify the IP addresses that are making the failed login attempts.
Now use the following code to block IP addresses from accessing your WordPress admin area:
order allow,deny deny from 123.45.67.89 allow from all
The code above will block an IP address 123.45.67.89 from accessing your WordPress admin area.
Additional Resources
- The Complete Cyber Security Course: Hackers Exposed!
- WordPress Security – How To Stop Hackers
- Protect and Clean your WordPress website: WordPress Security
- WordPress Security Masterclass – Defeat Hackers & Malware
Conclusion
By following the steps mentioned above, you can restrict WordPress admin access without installing any WordPress plugin that may slow down your website.
I hope you would find this tutorial on how to restrict WordPress admin access by IP address.
How to Install PHP 8 on Ubuntu 22.04: 5 Simple Steps