ThemeLab's Blog

Stay up to date with our newest WordPress themes, WordPress plugins, WordPress tutorials, and other announcements.

Restrict WordPress Admin Access by IP Address

Last Updated on by

This is a guest post by Eric Sizemore, a web developer, programmer, and domainer.

In light of recent events, anyone using WordPress is apparently susceptible to what’s being called “Distributed WordPress admin account cracking”. You can view this article for more information. This post aims to provide an extra layer of security both to your wp-admin folder, and wp-login.php file.

Step 1 – Determine Who Will Have Access

First and foremost, this extra layer of security involves blocking every IP except a select few. If your IP is dynamic, it may not be the best option for you. If you have a lot of users that you allow access to your blog, this could become time consuming. If you are the only author on the blog, and you don’t allow registrations anyway – this will be rather simple.

Step 2 – Creating .htaccess

First, let’s get your IP address. Go to IPChicken and make a note of your IP address. Next, download the .htaccess files that have been created for this post.

Once you extract the archive you should see a .htaccess file, and a wp-admin folder with a .htaccess file inside it. Open the main .htaccess file and you should see:

<Files wp-login.php>
Order Deny,Allow
Deny from all
Allow from xx.xx.xx.xx
</Files>

Edit the “Allow from” line to reflect your IP address. To add more IP addresses, add a new line with “Allow from” and the next IP address, and so on. Now, chances are you already have a .htaccess file in your root WordPress folder. If so, edit the file and copy paste the contents of your edited .htaccess file from the zip, and save/re-upload.

Now open the .htaccess file within the wp-admin folder from the zip. You should see something like:

Order Deny,Allow
Deny from all
Allow from xx.xx.xx.xx

Do as you did above. And add any extra ip’s you want to allow in the wp-admin area. Chances are you do not have a .htaccess file in your wp-admin folder, so just upload the edited .htaccess file from the zip to your wp-admin folder.

Step 3 – You’re done

And that’s all! :)

About

Leland Fiegel was the original founder of ThemeLab. He is a web developer who loves WordPress and blogging.

  • badcat

    Will you need to repeat this process after a new version of WordPress comes out?

    Or would it make more sense to deny the wp-admin folder in the site root .htaccess file since that doesn’t get updated when WP updates it’s core?

  • Leland

    @badcat: That’s a good question but I don’t think you’ll need to repeat the process since these .htaccess files aren’t included with the actual upgrade.

  • http://lifegames.com.au Elizabeth

    Thanks so much for this.

    I’ve been experiencing exploit attempts on several of my wordpress websites and have been using ht.access to block the individual IP’s. But this seems much more effective. Hope it works well.

    Thanks Leland.

  • Leland

    @Elizabeth: No problem! Let me know how it works out for you.

  • http://page.ly joshua strebel

    The login lockdown plugin is also nice. Limits and then bans failed login attempts. Kind of like IPtables for wp.
    http://wordpress.org/extend/plugins/login-lockdown/

    We added it to our pre-install for page.ly customers so it will be activated be default after signup.

    PS.. love the new themelab.com design.

    • Leland

      That sounds like it could be pretty effective. Especially if you login at a lot of different locations with different IP addresses, it may not be practical to add a .htaccess rule for each one.

      And glad you like the design!

  • http://GarySaid.com/ Gary LaPointe

    But I access my site from all sorts of places, including my cellphone.

    What I’d really like is to restrict everywhere outside of North America and that would probably cut down on a lot of hacking wouldn’t it?

    Yes, it’s still open but a lot less wide than it was previously.

    Anyone try anything like this?

    • Leland

      Maybe, but you’d need to integrate it with a geo IP-to-location database which might be a little overkill for something like this.

      If you login from a lot of places/IPs you might want to look into something like Login Lockdown.

  • http://Mishraweb Mishra

    Thanks for the info
    I was very frustrated with my blog got hacked fourth time.
    I wanted to be 100% sure to stop all bot attracts.
    in last few days I tried many plugins including askapache but it is not working fine because of some problem with my hosting.

    Finally I got a custom solution, I put an .htaccess file in wp-admin folder and IP locked it to open only with my IP range. and it works. Now no bot can try to check out my options and setting files. Unless the bot is in my PC itself.

    : )

    Regards

  • http://getridofbadhabits.com Elizabeth Richardson

    After leaving this system in place for a couple months now, I’ve now been able to relax. I does seem to work as I had been hacked multiple times before too.

    I use an ip range instead of a specific ip in my .htaccess and it works fantastic. Thank you so much.

    • Leland

      Glad to hear it’s working out for you. :D

  • http://prosaudi.com/ Yasir Imran

    Quite useful regarding security. I recently encountered few attacks on my wp site and I am looking for a good solution.