Not too long ago, we showed you how and why you need to limit login attempts in WordPress. Shortly after pushing that article, we started seeing an influx in attacks on our site. We had 39 lockouts from various IP addresses in a matter of few hours. Not sure whether it was people who just wanted to test this plugin out so they started to do failed attempts on our site, or whether it was real hackers. As a security measure, we decided to limit access by IP to our wp-login.php file in WordPress. We already have our WP Admin directory on limited access by IP. In this article, we will show you how to limit access by IP to your wp-login.php file in WordPress.
Note: This tutorial is not for total beginners.
Open your main .htaccess file and put this code towards the top of the file before everything else.
<Files wp-login.php>
order deny,allow
Deny from all
# whitelist West Palm Beach IP address
allow from xx.xxx.xx.xx
#whitelist Gainesvile IP Address
allow from xx.xxx.xx.xx
</Files>
Don’t forget to replace the IP addresses with your own. The only real downside to this is if you have dynamic IPs, then it can be a problem. Otherwise, this works like charm. Also, the wp-login.php styling breaks, but that is not a priority at this moment. We just wanted to prevent the failed login attempts.
For additional admin security, check out our article on 13 vital tips and tricks to protect WordPress admin area.
To get around the dynamic IP issue you can reference an htpasswd.
Thanks for this great tip ! But i’m a but confused : should I paste this snippet in my root .htacess file, or into my wordpress/.htaccess file ?
Cheers (and btw, I just LOVE wpbegginer.com, keep up the good work !)
Paste it in your wordpress/.htaccess
With dynamic IPs this can be a pain. You can set Apache Protect on it, but that is a bit more complex. #whitelist line is just to let me know which IP is which.