Use htaccess to Restrict Access to WordPress wp-admin via IP address

Last updated on January 20th, 2023 by Robert Abela. Filed under WordPress Security Tutorials & Tips

There are several different methods you can use to protect the WordPress admin dashboard (wp-admin directory) from hackers. One of them is to enable http authentication using an htaccess file i.e. password protect the WordPress wp-admin directory. You can even go one step further. If your internet connection has a fixed IP address and you always access your WordPress admin dashboard from the same location, it is also recommended to restrict access to the WordPress wp-admin directory to your IP address only via an .htaccess file.

New to htaccess? Check out our Definitive Guide to htaccess and WordPress!

htaccess file directives to restrict access to wp-admin directory

If you already have an .htaccess file in your wp-admin directory, using an FTP client download your existing .htaccess file and add the below example at the end of the .htaccess file. If you do not have an .htaccess file in your wp-admin directory, then simply create a new one.

Restrict Wordress dashboard to a single IP address

order deny,allow
# Replace the below with your IP address
deny from all
allow from

In the above example, we are allowing only IP address to access the WordPress admin dashboard (wp-admin directory). Remember to change the IP address ( to your public IP address. If you are not sure what is your IP address, Google “What is my IP address”.

Restrict Wordress dashboard to multiple IP addresses

To allow access to the WordPress admin dashboard (wp-admin directory) to more than one IP address, add a new allow from [IP ADDRESS] line before the last deny from all line as shown in the below example.

order deny,allow
# Replace the below with your IP address
deny from all
allow from
allow from

In the above example, we are allowing access to both IP addresses and You can add as many IP addresses as you like.

Restricting access to other directories

The same htaccess file directives can be used to restrict access via IP address to any other WordPress or website directory. To do so, simply upload the .htaccess file with the restrictions to the directory you would like to restrict access to.

WP White Security Security Tip: Protecting your WordPress admin dashboard (wp-admin directory) by restricting IP addresses only is not enough since IP addresses can be spoofed. It is recommended to password protect WordPress wp-admin directory and also restrict access to it via IP address.

If you change your internet service provider your IP address will be changed. In case you do, remember to update your .htaccess file with the correct IP address.

In case you want to learn more tips and strategies to help you harden your WordPress website, read the definitive guide about WordPress security & hardening.


Nikita 14/05/2015

Thank you. Your advice helped me. Finally I found a working code

Sue 22/02/2016

Is the coding correct? It says: order deny,allow

but then the allowed ips come before the denied ips in the coding below. Should it say: order allow,deny ?

Robert Abela 23/02/2016

Hello Sue, the order in which the directives are written does not really affect this. The directive Order Deny, Allow means that by default IP’s will be denied unless specifically allowed. If you use Deny Allow, Deny by default the web server will allow all IP’s and expect you to specific which ones should be denied access. Trust this answers your question.

Tanja 26/04/2016

Hello, I used your tips for blocking a whole country. The thing is I am currently in that country and I want to allow myself access to wp-admin from anywhere and block it for everyone else. Is that possible? Thanks

Robert Abela 26/04/2016

Yes it is possible. You can block the whole subnet and specifically allow the IP you want to allow access. Contact us on if you need assistance on this one.

Rusal 14/07/2020

Hi! What should I do if I entered the wrong ip address and got me locked out from the wp-admin instead. Can I revert the changes I made in the htaccess file? can I restore my changes using the cPanel please help

Robert Abela 31/07/2020

You definitely can Rusal.

Login to your web host´s CPanel, or access your website´s files via SFTP and change the IP address in the .htaccess file. If you are using the CPanel, you should have a file explorer to access the files. I hope that helps.

MarkTPC 29/01/2021

Sure that I need only this block of code, without any markup?

Radostin Angelov 02/02/2021

Hi Mark,

Thanks for reaching out!

This is a pure configuration, hence you don’t need any markup in order to restrict access to WordPress wp-admin using htaccess.

I hope that clears it out for you.


Joseph 01/02/2022

The problem with this code is it will restrict the execution of certain necessary functions in a Woocommerce WordPress website (e.g Add to Cart will not work). Is there a way to fix that?

Radostin Angelov 09/02/2022

Hi Joseph,

Thanks for reaching out.

Please keep in mind that these are generic suggestions, so in your case it is best to read and research more about restricting access to WordPress wp-admin without functions in WooCommerce.


Andy Globe 16/02/2022

my admin dashboard is opened but when I click any of the functionality like (click on pages to view all the pages) it shows the error page not found…I am unable to configure the problem

Radostin Angelov 14/03/2022

Hello Andy,

I’m sorry to read about your problem.

This is an educational article and it contains guidelines on what you can do to achieve this on a vanilla environment. If you are experiencing issues implementing what is recommended, I’d recommend you to search for information related specifically to your environment or to contact your web host.

All the best,

Leave a Reply

Your email address will not be published. Required fields are marked *

Our other plugins