Protect Your Admin folder in WordPress by Limiting Access in .htaccess
As we mentioned while using WordPress 2.8.3, our site was attacked in an attempt to hack into our WP-Admin folder. Thankfully WordPress has found the bug and released a security patch in WordPress 2.8.4, but this attack made us take extra security measures with our site. We have limited access to our wp-admin folder by using .htaccess and assigning specific IPs that can access it. Before some hacker kept resetting our password and that was because they could see our wp-admin folder and see the login bar. Now no one but WPBeginner Editors can see our admin panel. In this article, we will show you how you can limit wp-admin folder access by IP address using .htaccess file.
First you need to open your .htaccess file located in your /wp-admin/ folder, and make a backup.
Note: Do not edit your Root .htaccess file, don’t paste these codes in there. It must be /wp-admin/.htaccess if you don’t see that file then create a blank file, name it .htaccess in your wp-admin folder.
Then paste the following code:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
# whitelist Syed's IP address
allow from xx.xx.xx.xxx
# whitelist David's IP address
allow from xx.xx.xx.xxx
# whitelist Amanda's IP address
allow from xx.xx.xx.xxx
# whitelist Muhammad's IP address
allow from xx.xx.xx.xxx
# whitelist Work IP address
allow from xx.xx.xx.xxx
</LIMIT>
Paste your IP Address and upload the file.
Now if you have more than one IP make sure you list them there. For example, Work, Home, Vacation IP, if you ever use it. Each time you want to visit your wp-admin panel from another location, you would have to add an extra IP address. That is the only downside to this hack, but this will keep your wp-admin folder safe.
Comments
8 Responses to “Protect Your Admin folder in WordPress by Limiting Access in .htaccess”Share Your Opinions
Tell us what you're thinking...
and if you want a pic to show with your comment, then get gravatar!
Please make sure that you have read our Comment Policy.
Nice tip. I will be doing this.
Can I limit access based on other criterias? Like I need only my laptop to access a particular folder.. I could access it from anywhere so it would be difficult to specify an IP as my internet access would be based on DHCP. Is there a unique identifier for every machine or something like that that can be used as a criteria?
Why just limit GETs? You might want to limit POSTs as well!
You say not to do the root site’s .htaccess file…why is that? Because you just want to limit access to the /wp-admin folder?
So…if I wanted to have a WordPress site hosted externally but used as an internal company resource so that only people using IPs of our company could access it…if I edited the root folder’s .htaccess folder to only allow IPs from our domain…that would work the same way your /wp-admin fix is, but for the entire site, correct?
Yes Kyle, the reason why we said do not put this code in the root file because then it will limit your site access to only these IP as well. But if you are trying to make a site just for your company’s staff can access it only from work, then you would want to put the .htaccess file in the root folder.
Fantastic…thank you for the quick reply!
hi, how to make .htaccess with dynamic ip (non static ip)
my ip is always change xxx.xxx.xxx.12 xxx.xxx.xxx.453 xxx.xxx.xxx.076
please help…
Then this solution is not for you.