WPBeginner

Beginner's Guide for WordPress

  • Blog
    • Beginners Guide
    • News
    • Opinion
    • Showcase
    • Themes
    • Tutorials
    • WordPress Plugins
  • Start Here
    • How to Start a Blog
    • Create a Website
    • Start an Online Store
    • Best Website Builder
    • Email Marketing
    • WordPress Hosting
    • Business Name Ideas
  • Deals
    • Bluehost Coupon
    • SiteGround Coupon
    • WP Engine Coupon
    • HostGator Coupon
    • Domain.com Coupon
    • Constant Contact
    • View All Deals »
  • Glossary
  • Videos
  • Products
X
☰
Beginner's Guide for WordPress / Start your WordPress Blog in minutes
Choosing the Best
WordPress Hosting
How to Easily
Install WordPress
Recommended
WordPress Plugins
View all Guides

WPBeginner» Blog» Tutorials» How to Limit Access by IP to Your wp-login.php file in WordPress

How to Limit Access by IP to Your wp-login.php file in WordPress

Last updated on February 22nd, 2012 by Editorial Staff
39 Shares
Share
Tweet
Share
Pin
Free WordPress Video Tutorials on YouTube by WPBeginner
How to Limit Access by IP to Your wp-login.php file in WordPress

Not too long ago, we showed you how and why you need to limit login attempts in WordPress. Shortly after pushing that article, we started seeing an influx in attacks on our site. We had 39 lockouts from various IP addresses in a matter of few hours. Not sure whether it was people who just wanted to test this plugin out so they started to do failed attempts on our site, or whether it was real hackers. As a security measure, we decided to limit access by IP to our wp-login.php file in WordPress. We already have our WP Admin directory on limited access by IP. In this article, we will show you how to limit access by IP to your wp-login.php file in WordPress.

Note: This tutorial is not for total beginners.

Open your main .htaccess file and put this code towards the top of the file before everything else.

<Files wp-login.php>
        order deny,allow
        Deny from all

# whitelist West Palm Beach IP address
allow from xx.xxx.xx.xx

#whitelist Gainesvile IP Address
allow from xx.xxx.xx.xx

</Files>

Don’t forget to replace the IP addresses with your own. The only real downside to this is if you have dynamic IPs, then it can be a problem. Otherwise, this works like charm. Also, the wp-login.php styling breaks, but that is not a priority at this moment. We just wanted to prevent the failed login attempts.

For additional admin security, check out our article on 13 vital tips and tricks to protect WordPress admin area.

39 Shares
Share
Tweet
Share
Pin
Popular on WPBeginner Right Now!
  • How to Fix the Error Establishing a Database Connection in WordPress

    How to Fix the Error Establishing a Database Connection in WordPress

  • Google Analytics in WordPress

    How to Install Google Analytics in WordPress for Beginners

  • How to Properly Move Your Blog from WordPress.com to WordPress.org

  • Revealed: Why Building an Email List is so Important Today (6 Reasons)

    Revealed: Why Building an Email List is so Important Today (6 Reasons)

About the Editorial Staff

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi. Trusted by over 1.3 million readers worldwide.

The Ultimate WordPress Toolkit

21 Comments

Leave a Reply
  1. Mick says:
    Sep 15, 2020 at 4:18 pm

    For some reason when I use this the whitelisted ip is blocked too.

    any idea why?

    Reply
    • WPBeginner Support says:
      Sep 16, 2020 at 1:52 pm

      You may want to ensure you set the correct IP and if you are using a VPN or something similar that may be the root of the issue

      Reply
  2. Bahar Ali says:
    Apr 29, 2020 at 8:06 pm

    I used the above code and it somehow apply’s to every page of the site for example my home even shows prohibited.

    Reply
    • WPBeginner Support says:
      Apr 30, 2020 at 10:09 am

      You may first want to check with your hosting provider to ensure there isn’t a conflicting setup on their end.

      Reply
  3. Unni Krishnan says:
    Feb 23, 2017 at 6:12 am

    Good One guys,
    As you stated in the last section, I do have dynamic IPs for my mobile connection. Though I have white listed my Broadband IP, getting stuck while accessing on the go.
    Do you know if any plugins help to solve this ?

    Reply
    • Unni Krishnan says:
      Feb 23, 2017 at 6:17 am

      Also, such requests to wp-login.php are getting redirected to the homepage. Is this normal ?

      Reply
  4. FrancescoElzy says:
    Feb 8, 2017 at 3:44 pm

    Hmm it seems like your blog ate my first comment (it was super long) so I guess I’ll just sum it up what I wrote and say, I’m thoroughly enjoying your blog. I too am an aspiring blog blogger but I’m still new to the whole thing. Do you have any helpful hints for newbie blog writers? I’d genuinely appreciate it.

    Reply
  5. Stéfano Willig says:
    Jun 21, 2016 at 9:39 am

    We have made our ftp accessable only by certain IP.
    Now I can’t install or update wordpress directly via wordpress…
    What can I do?

    Reply
  6. Jobbatam says:
    Mar 29, 2016 at 6:14 am

    Great tips and works for me.
    But, Can i redirect wp-login to error 404?
    If can, what code i add into code above?

    thanks

    Reply
  7. MargaretMacnamar says:
    Jan 7, 2016 at 7:58 pm

    It’s very simple to find out any matter on net as compared to textbooks, as I found this post at this website.

    Reply
  8. EQHRaymond says:
    Jan 3, 2016 at 9:58 am

    Thank you for the function. Post aided me a whole lot

    Reply
  9. Rex Wickham says:
    Jul 23, 2015 at 7:10 am

    If you want to add more than one IP you can do this:

    1. you can use a partial IP:

    Allow from 145.50.39

    This will allow IP from 145.50.39.0 to 145.50.39.255

    2. you can use a netmask or a CIDR:

    Allow from 145.50.39.0/255.255.255.224

    or

    Allow from 145.50.39.0/27

    This will allow IP from 145.50.39.0 to 145.50.39.31.

    Reply
    • Julius Musembi says:
      Jun 25, 2020 at 6:57 pm

      This is a great workaround.

      Reply
  10. David Swanson says:
    Jul 12, 2015 at 5:09 pm

    I added the code to my .htaccess but when my users logout they receive Error 403.
    When they click logout the link is /wp-login.php?action=logout

    Anyway to fix this?

    Reply
  11. Brijesh says:
    Feb 17, 2014 at 10:39 am

    Great Tip! But i got a problem. It locks admin login from others ips, but if a registered user sign out from site, code also restricts that. I mean when user click sign out, it gives forbidden message. How to solve it?

    Reply
  12. Rafaqat says:
    Jan 21, 2014 at 9:04 am

    Thanks for your quick guideline to protect from excessive and illegal log in attempts. Actually there is a free plugin “better wp security” that can manage nearly all security issues regarding,login attempts,wp.config file,.htaccess file and many more. I think one should give it a try.

    Reply
  13. Kris says:
    Feb 12, 2013 at 2:12 pm

    To get around the dynamic IP issue you can reference an htpasswd.

    Reply
  14. Baptiste Legrand says:
    Jul 28, 2012 at 6:54 am

    Thanks for this great tip ! But i’m a but confused : should I paste this snippet in my root .htacess file, or into my wordpress/.htaccess file ?

    Cheers (and btw, I just LOVE wpbegginer.com, keep up the good work !)

    Reply
    • Editorial Staff says:
      Jul 28, 2012 at 2:25 pm

      Paste it in your wordpress/.htaccess

      Reply
  15. Editorial Staff says:
    Feb 24, 2012 at 9:21 am

    With dynamic IPs this can be a pain. You can set Apache Protect on it, but that is a bit more complex. #whitelist line is just to let me know which IP is which.

    Reply
    • Steve Pringle says:
      Jan 27, 2016 at 1:21 am

      You should mention that plugins (like JetPack) may have issues when you limit access.

      Reply

Leave a Reply Cancel reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.

Over 1,320,000+ Readers

Get fresh content from WPBeginner

Featured WordPress Plugin
TrustPulse
TrustPulse
Instantly get 15% more conversions with social proof. Learn More »
How to Start a Blog How to Start a Blog
I need help with ...
Starting a
Blog
WordPress
Performance
WordPress
Security
WordPress
SEO
WordPress
Errors
Building an
Online Store
Useful WordPress Guides
    • 7 Best WordPress Backup Plugins Compared (Pros and Cons)
    • How to Fix the Error Establishing a Database Connection in WordPress
    • Why You Need a CDN for your WordPress Blog? [Infographic]
    • 30 Legit Ways to Make Money Online Blogging with WordPress
    • Self Hosted WordPress.org vs. Free WordPress.com [Infograph]
    • Free Recording: WordPress Workshop for Beginners
    • 24 Must Have WordPress Plugins for Business Websites
    • How to Properly Move Your Blog from WordPress.com to WordPress.org
    • 5 Best Contact Form Plugins for WordPress Compared
    • Which is the Best WordPress Popup Plugin? (Comparison)
    • Best WooCommerce Hosting in 2021 (Comparison)
    • How to Fix the Internal Server Error in WordPress
    • How to Install WordPress - Complete WordPress Installation Tutorial
    • Why You Should Start Building an Email List Right Away
    • How to Properly Move WordPress to a New Domain Without Losing SEO
    • How to Choose the Best WordPress Hosting for Your Website
    • How to Choose the Best Blogging Platform (Comparison)
    • WordPress Tutorials - 200+ Step by Step WordPress Tutorials
    • 5 Best WordPress Ecommerce Plugins Compared
    • 5 Best WordPress Membership Plugins (Compared)
    • 7 Best Email Marketing Services for Small Business (2021)
    • How to Choose the Best Domain Registrar (Compared)
    • The Truth About Shared WordPress Web Hosting
    • When Do You Really Need Managed WordPress Hosting?
    • 5 Best Drag and Drop WordPress Page Builders Compared
    • How to Switch from Blogger to WordPress without Losing Google Rankings
    • How to Properly Switch From Wix to WordPress (Step by Step)
    • How to Properly Move from Weebly to WordPress (Step by Step)
    • Do You Really Need a VPS? Best WordPress VPS Hosting Compared
    • How to Properly Move from Squarespace to WordPress
    • How to Register a Domain Name (+ tip to get it for FREE)
    • HostGator Review - An Honest Look at Speed & Uptime (2021)
    • SiteGround Reviews from 4464 Users & Our Experts (2021)
    • Bluehost Review from Real Users + Performance Stats (2021)
    • How Much Does It Really Cost to Build a WordPress Website?
    • How to Create an Email Newsletter the RIGHT WAY (Step by Step)
    • Free Business Name Generator (A.I Powered)
    • How to Create a Free Business Email Address in 5 Minutes (Step by Step)
    • How to Install Google Analytics in WordPress for Beginners
    • How to Move WordPress to a New Host or Server With No Downtime
    • Why is WordPress Free? What are the Costs? What is the Catch?
    • How to Make a Website in 2021 – Step by Step Guide
Deals & Coupons (view all)
SeedProd Logo
SeedProd Coupon
Get 50% OFF SeedProd Coming Soon Page plugin for WordPress.
Pretty Links
Pretty Links Pro Coupon
Get up to 35% OFF on Pretty Links Pro WordPress URL shortener and affiliate links cloaking plugin.
Featured In
About WPBeginner®

WPBeginner is a free WordPress resource site for Beginners. WPBeginner was founded in July 2009 by Syed Balkhi. The main goal of this site is to provide quality tips, tricks, hacks, and other WordPress resources that allows WordPress beginners to improve their site(s).

Join our team: We are Hiring!

Site Links
  • About Us
  • Contact Us
  • FTC Disclosure
  • Privacy Policy
  • Terms of Service
  • Free Blog Setup
  • Free Business Tools
  • Growth Fund
Our Sites
  • OptinMonster
  • MonsterInsights
  • WPForms
  • SeedProd
  • Nameboy
  • RafflePress
  • Smash Balloon
  • AIOSEO

Copyright © 2009 - 2021 WPBeginner LLC. All Rights Reserved. WPBeginner® is a registered trademark.

Managed by Awesome Motive | WordPress hosting by SiteGround | WordPress Security by Sucuri.