In an earlier article, we spoke about password protecting wp-login.php with HTTP authentication. There, we came up with this amazing analogy that if your WordPress were a house, HTTP authentication would be a fence to it. Now, imagine deploying a guard at your fence door to further secure your house (your WordPress site). This guard would check the ID (read IP address) of every visitor and allow (or deny) a selected few.
In this article, we’ll teach you how to provide restricted access through the fence door to only select IP addresses. Of course, for this to work, your internet connection needs to have a static IP address first. If you aren’t sure what your IP address is, you can always Google ‘IP address’.
How to Restrict Access by IP to your wp-admin Directory
To begin with, download the .htaccess file from your wp-admin directory using a third-party FTP client like FileZilla. In case there isn’t already an .htaccess file in your wp-admin directory, go ahead and create a new one. Then, add the following lines at the end of your .htaccess file:
allow from your.IP.address
deny from all
The above directive allows only a single IP address to access your admin dashboard. This will apply in case you solely access your WordPress dashboard from a single location. In the given example, you need to mention your IP address in place of ‘your.IP.address’.
Now, if you access your dashboard from multiple locations, you’ll need to list out all those IP addresses in the directive. For this, you’ll need to mention individual IP addresses in individual ‘allow from’ lines as shown below:
allow from your.IP.address.1
allow from your.IP.address.2
allow from your.IP.address.3
deny from all
Blocking Specific IP Addresses
It has been seen that a large number of attacks come from specific regions or set of IPs. To block these culprits at the htaccess level itself, you can include the following syntax in your .htaccess file:
deny from IP.address.1
deny from IP.address.2
allow from all
Mention the IP addresses you wish to blacklist in place of ‘IP.address.1’ and ‘IP.address.2’. If the blocked IP addresses try to access your dashboard, they’ll get a default ‘403 Forbidden’ error message.
Once you’re done, save the changes and upload the .htaccess file back to the wp-admin directory. In case you make such a change to the .htaccess file in the root directory of your WordPress, all website visitors, apart from you, will receive the ‘403 Forbidden’ error message. Therefore, be sure to make the changes to the .htaccess file in the wp-admin directory of your WordPress alone.
Fixing the Admin Ajax Issue
Limiting access to WordPress wp-admin using IP address tends to break the front-end Ajax functionality. Therefore, if any of your plugins use Ajax in the front end, add the following code to the .htaccess file in your wp-admin directory for fixing the Ajax issue:
allow from all
For increased security, it is always advisable to use the method discussed above for limiting access via IP address in conjunction with password protection. Also, your IP address will change if you change your internet service provider. So don’t forget to update your .htaccess file in such a case.