Not too long ago, we showed you how and why you need to limit login attempts in WordPress. Shortly after pushing that article, we started seeing an influx in attacks on our site. We had 39 lockouts from various IP addresses in a matter of few hours. Not sure whether it was people who just wanted to test this plugin out so they started to do failed attempts on our site, or whether it was real hackers. As a security measure, we decided to limit access by IP to our wp-login.php file in WordPress. We already have our WP Admin directory on limited access by IP. In this article, we will show you how to limit access by IP to your wp-login.php file in WordPress.
Note: This tutorial is not for total beginners.
Open your main .htaccess file and put this code towards the top of the file before everything else.
<Files wp-login.php>
order deny,allow
Deny from all
# whitelist West Palm Beach IP address
allow from xx.xxx.xx.xx
#whitelist Gainesvile IP Address
allow from xx.xxx.xx.xx
</Files>
Don’t forget to replace the IP addresses with your own. The only real downside to this is if you have dynamic IPs, then it can be a problem. Otherwise, this works like charm. Also, the wp-login.php styling breaks, but that is not a priority at this moment. We just wanted to prevent the failed login attempts.
For additional admin security, check out our article on 13 vital tips and tricks to protect WordPress admin area.
Michael Pepper says
Thanks for the article, helpful!
WPBeginner Support says
Glad our article was helpful
Admin
Mick says
For some reason when I use this the whitelisted ip is blocked too.
any idea why?
WPBeginner Support says
You may want to ensure you set the correct IP and if you are using a VPN or something similar that may be the root of the issue
Admin
Bahar Ali says
I used the above code and it somehow apply’s to every page of the site for example my home even shows prohibited.
WPBeginner Support says
You may first want to check with your hosting provider to ensure there isn’t a conflicting setup on their end.
Admin
Unni Krishnan says
Good One guys,
As you stated in the last section, I do have dynamic IPs for my mobile connection. Though I have white listed my Broadband IP, getting stuck while accessing on the go.
Do you know if any plugins help to solve this ?
Unni Krishnan says
Also, such requests to wp-login.php are getting redirected to the homepage. Is this normal ?
FrancescoElzy says
Hmm it seems like your blog ate my first comment (it was super long) so I guess I’ll just sum it up what I wrote and say, I’m thoroughly enjoying your blog. I too am an aspiring blog blogger but I’m still new to the whole thing. Do you have any helpful hints for newbie blog writers? I’d genuinely appreciate it.
Stéfano Willig says
We have made our ftp accessable only by certain IP.
Now I can’t install or update wordpress directly via wordpress…
What can I do?
Jobbatam says
Great tips and works for me.
But, Can i redirect wp-login to error 404?
If can, what code i add into code above?
thanks
MargaretMacnamar says
It’s very simple to find out any matter on net as compared to textbooks, as I found this post at this website.
EQHRaymond says
Thank you for the function. Post aided me a whole lot
Rex Wickham says
If you want to add more than one IP you can do this:
1. you can use a partial IP:
Allow from 145.50.39
This will allow IP from 145.50.39.0 to 145.50.39.255
2. you can use a netmask or a CIDR:
Allow from 145.50.39.0/255.255.255.224
or
Allow from 145.50.39.0/27
This will allow IP from 145.50.39.0 to 145.50.39.31.
Julius Musembi says
This is a great workaround.
David Swanson says
I added the code to my .htaccess but when my users logout they receive Error 403.
When they click logout the link is /wp-login.php?action=logout
Anyway to fix this?
Brijesh says
Great Tip! But i got a problem. It locks admin login from others ips, but if a registered user sign out from site, code also restricts that. I mean when user click sign out, it gives forbidden message. How to solve it?
Rafaqat says
Thanks for your quick guideline to protect from excessive and illegal log in attempts. Actually there is a free plugin “better wp security” that can manage nearly all security issues regarding,login attempts,wp.config file,.htaccess file and many more. I think one should give it a try.
Kris says
To get around the dynamic IP issue you can reference an htpasswd.
Baptiste Legrand says
Thanks for this great tip ! But i’m a but confused : should I paste this snippet in my root .htacess file, or into my wordpress/.htaccess file ?
Cheers (and btw, I just LOVE wpbegginer.com, keep up the good work !)
Editorial Staff says
Paste it in your wordpress/.htaccess
Admin
Editorial Staff says
With dynamic IPs this can be a pain. You can set Apache Protect on it, but that is a bit more complex. #whitelist line is just to let me know which IP is which.
Admin
Steve Pringle says
You should mention that plugins (like JetPack) may have issues when you limit access.