There are several different methods you can use to protect the WordPress admin dashboard (wp-admin directory) from hackers. One of them is to enable http authentication using an htaccess file i.e. password protect the WordPress wp-admin directory. You can even go one step further. If your internet connection has a fixed IP address and you always access your WordPress admin dashboard from the same location, it is also recommended to restrict access to the WordPress wp-admin directory to your IP address only via an .htaccess file.
htaccess file directives to restrict access to wp-admin directory
If you already have an .htaccess file in your wp-admin directory, using an FTP client download your existing .htaccess file and add the below example at the end of the .htaccess file. If you do not have an .htaccess file in your wp-admin directory, then simply create a new one.
Restrict Wordress dashboard to a single IP address
order deny,allow # Replace the below 192.168.5.1 with your IP address deny from all allow from 192.168.5.1
In the above example, we are allowing only IP address 192.168.5.1 to access the WordPress admin dashboard (wp-admin directory). Remember to change the IP address (192.168.5.1) to your public IP address. If you are not sure what is your IP address, Google “What is my IP address”.
Restrict Wordress dashboard to multiple IP addresses
To allow access to the WordPress admin dashboard (wp-admin directory) to more than one IP address, add a new allow from [IP ADDRESS] line before the last deny from all line as shown in the below example.
order deny,allow # Replace the below 192.168.5.1 with your IP address deny from all allow from 192.168.5.1 allow from 10.130.130.7
In the above example, we are allowing access to both IP addresses 192.168.5.1 and 10.130.130.7. You can add as many IP addresses as you like.
Restricting access to other directories
The same htaccess file directives can be used to restrict access via IP address to any other WordPress or website directory. To do so, simply upload the .htaccess file with the restrictions to the directory you would like to restrict access to.
WP White Security Security Tip: Protecting your WordPress admin dashboard (wp-admin directory) by restricting IP addresses only is not enough since IP addresses can be spoofed. It is recommended to password protect WordPress wp-admin directory and also restrict access to it via IP address.
If you change your internet service provider your IP address will be changed. In case you do, remember to update your .htaccess file with the correct IP address.
In case you want to learn more tips and strategies to help you harden your WordPress website, read the definitive guide about WordPress security & hardening.