Use htaccess to Restrict Access to WordPress wp-admin via IP address

Last updated on February 23rd, 2016 by Robert Abela. Filed under WordPress Security Hacks

There are several different methods you can use to protect the WordPress admin dashboard (wp-admin directory) from hackers. One of them is to enable http authentication using an htaccess file i.e. password protect the WordPress wp-admin directory. You can even go one step further. If your internet connection has a fixed IP address and you always access your WordPress admin dashboard from the same location, it is also recommended to restrict access to the WordPress wp-admin directory to your IP address only via an .htaccess file.

New to htaccess? Check out our Definitive Guide to htaccess and WordPress!

htaccess file directives to restrict access to wp-admin directory

If you already have an .htaccess file in your wp-admin directory, using an FTP client download your existing .htaccess file and add the below example at the end of the .htaccess file. If you do not have an .htaccess file in your wp-admin directory, then simply create a new one.

Restrict Wordress dashboard to a single IP address

order deny,allow
# Replace the below 192.168.5.1 with your IP address
deny from all
allow from 192.168.5.1

In the above example, we are allowing only IP address 192.168.5.1 to access the WordPress admin dashboard (wp-admin directory). Remember to change the IP address (192.168.5.1) to your public IP address. If you are not sure what is your IP address, Google “What is my IP address”.

Restrict Wordress dashboard to multiple IP addresses

To allow access to the WordPress admin dashboard (wp-admin directory) to more than one IP address, add a new allow from [IP ADDRESS] line before the last deny from all line as shown in the below example.

order deny,allow
# Replace the below 192.168.5.1 with your IP address
deny from all
allow from 192.168.5.1
allow from 10.130.130.7

In the above example, we are allowing access to both IP addresses 192.168.5.1 and 10.130.130.7. You can add as many IP addresses as you like.

Restricting access to other directories

The same htaccess file directives can be used to restrict access via IP address to any other WordPress or website directory. To do so, simply upload the .htaccess file with the restrictions to the directory you would like to restrict access to.

WP White Security Security Tip: Protecting your WordPress admin dashboard (wp-admin directory) by restricting IP addresses only is not enough since IP addresses can be spoofed. It is recommended to password protect WordPress wp-admin directory and also restrict access to it via IP address.

If you change your internet service provider your IP address will be changed. In case you do, remember to update your .htaccess file with the correct IP address.

WordPress Hosting, Firewall and Backup

WP White Security is hosted on A2 Hosting, protected with BBQ:Block Bad Queries Firewall and backed up with BlogVault online WordPress backup service

5 comments

Nikita 14/05/2015

Thank you. Your advice helped me. Finally I found a working code

Sue 22/02/2016

Is the coding correct? It says: order deny,allow

but then the allowed ips come before the denied ips in the coding below. Should it say: order allow,deny ?

Robert Abela 23/02/2016

Hello Sue, the order in which the directives are written does not really affect this. The directive Order Deny, Allow means that by default IP’s will be denied unless specifically allowed. If you use Deny Allow, Deny by default the web server will allow all IP’s and expect you to specific which ones should be denied access. Trust this answers your question.

Tanja 26/04/2016

Hello, I used your tips for blocking a whole country. The thing is I am currently in that country and I want to allow myself access to wp-admin from anywhere and block it for everyone else. Is that possible? Thanks

Robert Abela 26/04/2016

Yes it is possible. You can block the whole subnet and specifically allow the IP you want to allow access. Contact us on support@wpwhitesecurity.com if you need assistance on this one.

Leave a Reply

Your email address will not be published. Required fields are marked *