Most people don’t think about securing their WordPress admin area until it’s too late. We’ve helped users recover from attacks where the WordPress admin area was left wide open.
That’s why we recommend restricting admin area access by IP. It’s a technique we’ve used on client sites that only need one or two people logging in from known networks.
In this tutorial, we’ll show you how to block access to WordPress admin using a quick edit to the .htaccess file. It’s a simple but very effective way of protecting your WordPress website against common threats.
Why Restrict WordPress Admin Access by IP Address?
If you are running a WordPress website, then you need to take your website’s security seriously. While WordPress core software is very secure, there’s more that you can do to protect yourself from hackers and brute force attacks.
Hackers can take down your website, as well as damage your revenue and reputation. They can steal data or even distribute malware to your website visitors and get your domain blacklisted by Google and others.
One smart way to block hackers and improve WordPress security is by protecting your WordPress admin area from unauthorized access.
If only you or a few trusted users need access to the admin area, then a good way to do that is to limit access to wp-admin and the WordPress login page to your team’s IP addresses.
Each team member will connect to your WordPress site using a specific IP address for each location. If you block access to all other IP addresses, then a hacker won’t be able to gain access to your website even if they have discovered your username and password.
Instead, they will see the error message: ‘Forbidden. You don’t have permission to access this resource.’
Let’s take a look at how to restrict WordPress admin access by IP address.
How to Restrict WordPress Admin Access by IP Address
The first thing you need to do is make a list of the IP addresses used by everyone on your team who needs access to the WordPress admin area.
You need to ask your team members to send you their IP addresses from the locations they usually work from. If someone works from several locations, then you will need to collect the IP address for each one.
You will also need to add your IP address to the list.
How to Find Your IP Address?
The easiest way to find your IP address is by visiting a site like SupportAlly or WhatisMyIPAddress.com.
These websites will show you your IP address, which you can then add to your list. You can also ask your team members to visit these sites to find their IP address and send it back to you.
Once you have made your list, you can proceed to limiting access by IP addresses. We’ll show you two approaches so you can choose one that works for you.
🚨 Important Note: In the following sections, we’ll show you how to modify important files to restrict admin access. This can be risky, even for advanced users, since even the smallest error can crash your site or impact it’s functionality. That’s why we always recommend creating a backup first.
1. Restrict Access by IP Address Using .htaccess File (Recommended)
For this method, we’ll be using .htaccess file. It is a server-level configuration file that you can edit to set up different things.
It runs before your WordPress website even loads, which is why adding security instructions there gives you much better protection.
You’ll have to use an FTP client or your hosting provider’s file manager app. If you haven’t used FTP before, then you may want to see our guide on how to use FTP to upload files to WordPress.
You will need to use the software to navigate to your website’s /wp-admin/ folder. Once you are there, you should look for the .htaccess file. This is a hidden file, so if you can’t see it, then you may need to enable the show hidden files option in your software.
If that file doesn’t exist in the folder, then you should create a new file and save it with the name .htaccess in your /wp-admin/ folder.
Warning ⚠️: Do not edit your root .htaccess file, or you will lock visitors out of your website’s front end! Make sure you are editing /wp-admin/.htaccess.
You should first download a copy of the file to your computer as a backup.
Once you’ve done that, you will need to edit .htaccess and paste the following code into the file:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
<Limit GET>
order deny,allow
deny from all
# whitelist Syed's IP address
allow from xx.xx.xx.xxx
# whitelist David's IP address
allow from xx.xx.xx.xxx
# whitelist Amanda's IP address
allow from xx.xx.xx.xxx
# whitelist Muhammad's IP address
allow from xx.xx.xx.xxx
# whitelist Work IP address
allow from xx.xx.xx.xxx
</LIMIT>
Go ahead and edit the file to match the names of your own team members, and then paste in the IP addresses you collected earlier to replace where it says xx.xx.xx.xxx.
Once you save the file, only those IP addresses will be able to access the WordPress admin.
Remember that if your IP address changes or you try to access your website from a new location, then you will be locked out of your WordPress admin area. You will need to add your new IP address to the /wp-admin/.htaccess file.
⚠️ Locked out or site down? Don’t worry — we can help.
Our team offers Emergency WordPress Support for site owners who need fast, expert help fixing common issues — from login problems and hacks to broken themes, plugins, and errors.
We’ve been working with WordPress for 20+ years and have helped thousands of site owners recover quickly and safely.
2. Restrict Access Using wp-config.php (Alternative Method)
If your server doesn’t support .htaccess rules or you’re running WordPress on a non-Apache server like NGINX or LiteSpeed, then using the wp-config.php file is a good alternative.
Editing wp-config.php can be safer than modifying .htaccess because it’s less likely to cause server-level errors and is easy to revert if needed. That said, you’ll still need to make changes carefully as even minor errors can crash your site.
Thewp-config.php file loads early during the WordPress boot process, which makes it a secure place to apply restrictions. It’s especially useful for developers or advanced users managing sites across different server environments.
To use this method, open your wp-config.php file using an FTP client or your hosting control panel’s file manager. Then, just above the line that says /* That's all, stop editing! Happy blogging. */, add the following code:
if (strpos($_SERVER['REQUEST_URI'], '/wp-admin') !== false ||
strpos($_SERVER['REQUEST_URI'], '/wp-login.php') !== false) {
if ($_SERVER['REMOTE_ADDR'] !== '123.456.78.90') {
header('HTTP/1.0 403 Forbidden');
exit;
}
}
Replace 123.456.78.90 with your current IP address. This code will block all access to your WordPress admin and login pages except from your allowed IP.
Adding Multiple IP Addresses:
To add other team members you will need to use a different code instead. In this code, you will use an array of IP addresses for different team members separated by commas. Like this:
$allowed_ips = array('123.456.789.000', '987.654.321.000', '200.200.255.168'); // Add more IPs as necessary
if ( !in_array($_SERVER['REMOTE_ADDR'], $allowed_ips) ) {
wp_die('Unauthorized access. Your IP address is not permitted.');
}
Caution⚠️: If your IP address changes often or you work from multiple networks, this method could lock you out. Always make a backup before making changes to wp-config.php.
Handling Dynamic IPs or Multiple Team Members
If your IP address changes often or your team works from different networks, IP-based restrictions in .htaccess or wp-config.php may not be practical. These methods work best when access is limited to a fixed IP or location.
For more flexible security, you can use alternative approaches listed below:
1. Add Two-factor Authentication (2FA)
Adding Two-factor authentication means that users need to enter both their password and a one-time code from their phone to log in. This prevents attackers from getting into your site even if they know your password.
To learn more, see our step-by-step guide on how to add two-factor authentication in WordPress.
2. Password Protecting your Admin Folder
This approach adds another layer of security before users can even reach the WordPress login screen. When someone tries to visit /wp-admin/, they’ll first need to enter a server-level username and password set by you.
This helps block bots and attackers from trying to guess your WordPress login credentials. For details, see our tutorial on how to password protect your WordPress admin folder.
Frequently Asked Questions
What happens if my IP address changes?
If you’re using IP restrictions in .htaccess or wp-config.php and your IP changes, you’ll be locked out of your admin area. To regain access, you’ll need to update the allowed IP address via FTP or your hosting control panel.
Can I allow access from multiple IP addresses?
Yes. You can list multiple IP addresses in your .htaccess or wp-config.php rules. Each one should be added as a separate Allow from line or if condition, depending on which method you’re using.
What if I use a mobile hotspot or VPN?
Mobile hotspots and VPNs often use dynamic IPs, which can change frequently. In this case, we recommend enabling two-factor authentication or password-protecting your admin folder for more flexible protection.
More WordPress Security Tips
Restricting access to your admin area is a smart move, but it’s just one piece of the puzzle. Here are more helpful tutorials to strengthen your site’s security and learn about .htaccess features.
- How and Why You Should Limit Login Attempts in WordPress
- Ecommerce Security Tips: How to Secure Your WordPress Store
- Most Useful .htaccess Tricks for WordPress
- Tips to Protect Your WordPress Admin Area (Updated)
- How to Perform a WordPress Security Audit (Complete Checklist)
We hope this tutorial helped you learn how to restrict WordPress admin access by IP address. You may also want to see our WordPress tutorial on how to limit authors to their own posts in WordPress admin, or what to do when locked out of WordPress admin.
If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.
Kzain
this is helpful but I just want to know about the dynamic IP address and static IP address for a WordPress website what is the preferred way to set the IP address if WordPress is getting managed at a home network most of the time? And if and when I use a security plugin I see the IP address changed?
WPBeginner Support
If you mean you are managing your site from a home network, you would use one of the many sites for finding your public IP address to find the IP that your site should see you accessing from.
We have more on IPs on our page below!
https://www.wpbeginner.com/glossary/ip-address/
Admin
Kzain
thanks for the reply i will definitely read that article.
Jiří Vaněk
Is it possible to allow access to the admin area from an entire network range using the htaccess file? I mean, not just from individual IP addresses but from the entire range of one network. It would be complicated for me to list all IP addresses, and it would be much easier for me to set up the entire network, but I’m not sure if this is possible with htaccess.
WPBeginner Support
If all of the IP addresses are on one network you can use a partial IP address but we would still recommend a full IP address for each user.
Admin
Jiří Vaněk
Thank you for confirming and for the advice. There will be multiple IP addresses involved, so I’m not sure if maintenance will become complicated, but still, I appreciate your recommendation and will seriously consider it because I believe your advice is justified. As you can see, sometimes it’s good to consult with professionals.
John
My wp-admin folder doesn’t contain an .htaccess file. What am I missing.
WPBeginner Support
You would need to have your FTP or file manager show hidden files if you do not see it.
Admin
Mukund
How to find my ip address for hiding wp-admin folder?
WPBeginner Support
There are multiple methods to find your IP, one of the simple ones would be to use a site like supportally.com
Admin
Chris
You have to enable
module authz_groupfile
“sudo a2enmod authz_groupfile”
and restart apache
Rajat Shankhdhar
Not working for me. Code restricting admin to get access even I put the ip in a whitelist.
Rostyslav
After this line, you must put a condition for permission to allow php files to prevent conflicts:
allow from all
Solace
I tried the .htaccess password protection method.
It works, but I tried it on a site with Woocommerce, but then my customers weren’t able to log in.
Just saying that because it seems no one has mentioned that it doesn’t work with sites that need customers to log in !
Miguel
Hello, thank you for the tutorial. Unfortunately, I have not been able to make this .htaccess file to work correctly because it is denying access to the only IP address I included, my own… I am certain I copied your code exactly and I typed my IP correctly. The .htaccess file was saved under: /wp-admin/.htaccess
Am I missing something? Thanks
Miguel
I must add that I am working on a localhost installation.
WPBeginner Support
Hi Miguel,
Instead of your IP address, try adding 127.0.0.1
That’s your localhost IP address. If adding the IP alone doesn’t work, then add the following line before the above code:
Require localAdmin
Pankaj Murthalia
how to block the access to wp admin???
Emaan Ali
Hi Guys,
I have blocked the wp-admin with .htaccess as mentioned in this article. But i am having one problem that my admin-ajax file is also being restricted on public site.
My wordpress theme uses much of admin ajax functionality and that I have put the IP limitation access on wp-admin folder so its not accessible for all IP’s.
Does anyone find the solution for this ? If so please share .
Thanks in advance
Emaan
Len
Hi, This seems really a helpful one. Maybe you could help me. Instead of whitelisting an IP can we allow access for specific countries in .htaccess file? Hoping you can help me. Thank you very much.
Bridget
Thanks! This was the only solution that worked for me after trying so many
Scotty
Hi, This does work. I checked and am “forbidden” to login on any other computer. I can’t even see the login panel. However, I am still getting about 24 failed log in attempts per day from all different IP addresses. Any ideas how there getting around this? It’s some kind of brute force attack? Thanks, Scott.
WPBeginner Support
Yes quite possibly. Make sure your .htaccess password is a difficult one.
Admin
Scotty
Thanks. Your site has been very helpful. If you have moment maybe you could answer one more question. I followed your tutorials — and they worked. I blocked access to my admin folder with htaccess and added a password on top of that. I tested and even if people were to break the password, which they haven’t, they wouldn’t have access to the folder from any IP address except mine. However, I’m still getting about 12 failed logins per day. Any ideas what is happening and where to go to fix it? I was hacked once, but cleared the files out of my uploads folder.
Scotty
NVM: This page answered my question for now. Great info
https://www.wpbeginner.com/wp-tutorials/11-vital-tips-and-hacks-to-protect-your-wordpress-admin-area/
Sehrish
And how to allow access to only wordpress adminitrator ?What code i will write without any ip ? I just need to know a generic function that get admin related info.Becuse i have to restrict my plugin uploads from other user.And Whoever using this plugin i have to get its admin info to restrict contents from other and allow only to admin of website.
Praveen
Many Many thanks sir, I have test this on my localhost system it works very well.
Kim
I tried this (after previously successfully password protecting my wp-admin directory and fixing the redirect error per your other article), but then I get a pop-up asking for a user name and password for the “WordPress Admin Access Control”. What user name and password am I supposed to be using for this new pop-up? Neither the wordpress admin logon nor the wp-admin directory logon work for it.
Thanks!
Kim
Oh, I believe I figured out the problem; seems to work as long as I make sure to have the added code at the very beginning.
Jordyn
I have a big problem
I did what you said about creating the .htaccess and putting in the code snippet. It didn’t work so I deleted the .htaccess file and now I can’t login to my dashboard! It’s just a white screen
Please help!!!
Thanks
Editorial Staff
That’s a fairly unlikely outcome. You deleted the .htaccess file in your /wp-admin/ folder correct?
Admin
Jordyn
All I did was create the file in my wp-admin folder and when it didn’t work I deleted it from the wp-admin folder. I’m not sure what happened but, after a crazy rabbit trail and many shots in the dark, I was able to correct the problem by adding to the top of my login.php file. I still don’t know what went wrong or why what I did fixed it…. but at least its fixed. I may try this again when I’m feeling brave.
Jordyn
it erased the code snippet
it was supposed to say “…by adding “” to the top…”
Jordyn
less than sign ? ob_start(); ? greater than sign
Peter
First I did not manage to make your password protect work
https://www.wpbeginner.com/wp-tutorials/how-to-password-protect-your-wordpress-admin-wp-admin-directory
at least this one works.
It is interesting, that I wp-admin page gets into an infinite redirect when I enter a wrong IP address, not my one.
The infinite redirect seems to be hence an authorization problem.
Raheem Khan
Hi WPB, I don’t think it will be working in Pakistan because every time we reset or turn of our DSL modem so the IP address automatically changes. if any other tip please reply me.
Thanks
Editorial Staff
You should look at our tip for password protecting the wp-admin directory.
Admin
awan
yes it can be done on https, it’s just .htaccess
wpbeginnerfan
Can this be done on https sites? I can’t get it to work.
andrew
hi, how to make .htaccess with dynamic ip (non static ip)
my ip is always change xxx.xxx.xxx.12 xxx.xxx.xxx.453 xxx.xxx.xxx.076
please help…
Editorial Staff
Then this solution is not for you.
Admin
Joe
You can harden your wordpress install via .htaccess whitelisting even if you have a dynamic IP address. You can whitelist a range of IP addresses using a /24 or /16 range. While this allows more access than if you always knew the IP you wanted to allow, it still prohibits access from almost the entire internet.
Just add /24 to the end of the allow from line to allow the whole class C subnet (256 IPs), or add /16 to allow the whole 65,536 range. i.e.
allow from xxx.xxx.xxx.0/24
will allow access to IP addresses from xxx.xxx.xxx.0 – xxx.xxx.xxx.255. and
allow from xxx.xxx.0.0/16
will allow access from IP addresses from xxx.xxx.0.0 – xxx.xxx.255.255
Kyle
You say not to do the root site’s .htaccess file…why is that? Because you just want to limit access to the /wp-admin folder?
So…if I wanted to have a WordPress site hosted externally but used as an internal company resource so that only people using IPs of our company could access it…if I edited the root folder’s .htaccess folder to only allow IPs from our domain…that would work the same way your /wp-admin fix is, but for the entire site, correct?
Editorial Staff
Yes Kyle, the reason why we said do not put this code in the root file because then it will limit your site access to only these IP as well. But if you are trying to make a site just for your company’s staff can access it only from work, then you would want to put the .htaccess file in the root folder.
Admin
Kyle
Fantastic…thank you for the quick reply!
Bill
Why just limit GETs? You might want to limit POSTs as well!
Darrin
Nice tip. I will be doing this.
Alim Bolar
Can I limit access based on other criterias? Like I need only my laptop to access a particular folder.. I could access it from anywhere so it would be difficult to specify an IP as my internet access would be based on DHCP. Is there a unique identifier for every machine or something like that that can be used as a criteria?