Beginner's Guide for WordPress - Start your WordPress Blog in minutes.
Choosing the Best
WordPress Hosting
How to Easily
Install WordPress
WordPress Plugins
View all Guides

Protect Your Admin folder in WordPress by Limiting Access in .htaccess

Last updated on by
Special WordPress Hosting offer for WPBeginner Readers
Protect Your Admin folder in WordPress by Limiting Access in .htaccess

As we mentioned while using WordPress 2.8.3, our site was attacked in an attempt to hack into our WP-Admin folder. Thankfully WordPress has found the bug and released a security patch in WordPress 2.8.4, but this attack made us take extra security measures with our site. We have limited access to our wp-admin folder by using .htaccess and assigning specific IPs that can access it. Before some hacker kept resetting our password and that was because they could see our wp-admin folder and see the login bar. Now no one but WPBeginner Editors can see our admin panel. In this article, we will show you how you can limit wp-admin folder access by IP address using .htaccess file.

First you need to open your .htaccess file located in your /wp-admin/ folder, and make a backup.

Note: Do not edit your Root .htaccess file, don’t paste these codes in there. It must be /wp-admin/.htaccess if you don’t see that file then create a blank file, name it .htaccess in your wp-admin folder.

Then paste the following code:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
order deny,allow
deny from all
# whitelist Syed's IP address
allow from
# whitelist David's IP address
allow from
# whitelist Amanda's IP address
allow from
# whitelist Muhammad's IP address
allow from
# whitelist Work IP address
allow from

Paste your IP Address and upload the file.

Now if you have more than one IP make sure you list them there. For example, Work, Home, Vacation IP, if you ever use it. Each time you want to visit your wp-admin panel from another location, you would have to add an extra IP address. That is the only downside to this hack, but this will keep your wp-admin folder safe.

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi. Page maintained by Syed Balkhi.

WPBeginner's Video Icon
Our HD-Quality tutorial videos for WordPress Beginners will teach you how to use WordPress to create and manage your own website in about an hour. Get started now »


  1. Emaan Ali says:

    Hi Guys,

    I have blocked the wp-admin with .htaccess as mentioned in this article. But i am having one problem that my admin-ajax file is also being restricted on public site.

    My wordpress theme uses much of admin ajax functionality and that I have put the IP limitation access on wp-admin folder so its not accessible for all IP’s.

    Does anyone find the solution for this ? If so please share .

    Thanks in advance

  2. Len says:

    Hi, This seems really a helpful one. Maybe you could help me. Instead of whitelisting an IP can we allow access for specific countries in .htaccess file? Hoping you can help me. Thank you very much.

  3. Bridget says:

    Thanks! This was the only solution that worked for me after trying so many :)

  4. Scotty says:

    Hi, This does work. I checked and am “forbidden” to login on any other computer. I can’t even see the login panel. However, I am still getting about 24 failed log in attempts per day from all different IP addresses. Any ideas how there getting around this? It’s some kind of brute force attack? Thanks, Scott.

    • WPBeginner Support says:

      Yes quite possibly. Make sure your .htaccess password is a difficult one.

      • Scotty says:

        Thanks. Your site has been very helpful. If you have moment maybe you could answer one more question. I followed your tutorials — and they worked. I blocked access to my admin folder with htaccess and added a password on top of that. I tested and even if people were to break the password, which they haven’t, they wouldn’t have access to the folder from any IP address except mine. However, I’m still getting about 12 failed logins per day. Any ideas what is happening and where to go to fix it? I was hacked once, but cleared the files out of my uploads folder.

      • Scotty says:
  5. Sehrish says:

    And how to allow access to only wordpress adminitrator ?What code i will write without any ip ? I just need to know a generic function that get admin related info.Becuse i have to restrict my plugin uploads from other user.And Whoever using this plugin i have to get its admin info to restrict contents from other and allow only to admin of website.

  6. Praveen says:

    Many Many thanks sir, I have test this on my localhost system it works very well.

  7. Kim says:

    I tried this (after previously successfully password protecting my wp-admin directory and fixing the redirect error per your other article), but then I get a pop-up asking for a user name and password for the “WordPress Admin Access Control”. What user name and password am I supposed to be using for this new pop-up? Neither the wordpress admin logon nor the wp-admin directory logon work for it.

    • Kim says:

      Oh, I believe I figured out the problem; seems to work as long as I make sure to have the added code at the very beginning.

  8. Jordyn says:

    I have a big problem :(

    I did what you said about creating the .htaccess and putting in the code snippet. It didn’t work so I deleted the .htaccess file and now I can’t login to my dashboard! It’s just a white screen :( Please help!!!


    • Editorial Staff says:

      That’s a fairly unlikely outcome. You deleted the .htaccess file in your /wp-admin/ folder correct?

      • Jordyn says:

        All I did was create the file in my wp-admin folder and when it didn’t work I deleted it from the wp-admin folder. I’m not sure what happened but, after a crazy rabbit trail and many shots in the dark, I was able to correct the problem by adding to the top of my login.php file. I still don’t know what went wrong or why what I did fixed it…. but at least its fixed. I may try this again when I’m feeling brave.

  9. Peter says:

    First I did not manage to make your password protect work

    at least this one works.

    It is interesting, that I wp-admin page gets into an infinite redirect when I enter a wrong IP address, not my one.
    The infinite redirect seems to be hence an authorization problem.

  10. Raheem Khan says:

    Hi WPB, I don’t think it will be working in Pakistan because every time we reset or turn of our DSL modem so the IP address automatically changes. if any other tip please reply me.

  11. awan says:

    yes it can be done on https, it’s just .htaccess

  12. wpbeginnerfan says:

    Can this be done on https sites? I can’t get it to work.

  13. andrew says:

    hi, how to make .htaccess with dynamic ip (non static ip)
    my ip is always change

    please help…

    • Editorial Staff says:

      Then this solution is not for you.

      • Joe says:

        You can harden your wordpress install via .htaccess whitelisting even if you have a dynamic IP address. You can whitelist a range of IP addresses using a /24 or /16 range. While this allows more access than if you always knew the IP you wanted to allow, it still prohibits access from almost the entire internet.

        Just add /24 to the end of the allow from line to allow the whole class C subnet (256 IPs), or add /16 to allow the whole 65,536 range. i.e.

        allow from

        will allow access to IP addresses from – and

        allow from

        will allow access from IP addresses from –

  14. Kyle says:

    You say not to do the root site’s .htaccess file…why is that? Because you just want to limit access to the /wp-admin folder?

    So…if I wanted to have a WordPress site hosted externally but used as an internal company resource so that only people using IPs of our company could access it…if I edited the root folder’s .htaccess folder to only allow IPs from our domain…that would work the same way your /wp-admin fix is, but for the entire site, correct?

    • Editorial Staff says:

      Yes Kyle, the reason why we said do not put this code in the root file because then it will limit your site access to only these IP as well. But if you are trying to make a site just for your company’s staff can access it only from work, then you would want to put the .htaccess file in the root folder.

  15. Bill says:

    Why just limit GETs? You might want to limit POSTs as well!

  16. Darrin says:

    Nice tip. I will be doing this.

    • Alim Bolar says:

      Can I limit access based on other criterias? Like I need only my laptop to access a particular folder.. I could access it from anywhere so it would be difficult to specify an IP as my internet access would be based on DHCP. Is there a unique identifier for every machine or something like that that can be used as a criteria?

Add a Comment

We're glad you have chosen to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and all links are nofollow. Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.