WPBeginner

Beginner's Guide for WordPress

  • Blog
    • Beginners Guide
    • News
    • Opinion
    • Showcase
    • Themes
    • Tutorials
    • WordPress Plugins
  • Start Here
    • How to Start a Blog
    • Create a Website
    • Start an Online Store
    • Best Website Builder
    • Email Marketing
    • WordPress Hosting
    • Business Name Ideas
  • Deals
    • Bluehost Coupon
    • SiteGround Coupon
    • WP Engine Coupon
    • HostGator Coupon
    • Domain.com Coupon
    • Constant Contact
    • View All Deals »
  • Glossary
  • Videos
  • Products
X
☰
Beginner's Guide for WordPress / Start your WordPress Blog in minutes
Choosing the Best
WordPress Hosting
How to Easily
Install WordPress
Recommended
WordPress Plugins
View all Guides

WPBeginner» Blog» Tutorials» Protect Your Admin folder in WordPress by Limiting Access in .htaccess

Protect Your Admin folder in WordPress by Limiting Access in .htaccess

Last updated on June 21st, 2012 by Editorial Staff
8 Shares
Share
Tweet
Share
Pin
Free WordPress Video Tutorials on YouTube by WPBeginner
Protect Your Admin folder in WordPress by Limiting Access in .htaccess

As we mentioned while using WordPress 2.8.3, our site was attacked in an attempt to hack into our WP-Admin folder. Thankfully WordPress has found the bug and released a security patch in WordPress 2.8.4, but this attack made us take extra security measures with our site. We have limited access to our wp-admin folder by using .htaccess and assigning specific IPs that can access it. Before some hacker kept resetting our password and that was because they could see our wp-admin folder and see the login bar. Now no one but WPBeginner Editors can see our admin panel. In this article, we will show you how you can limit wp-admin folder access by IP address using .htaccess file.

First you need to open your .htaccess file located in your /wp-admin/ folder, and make a backup.

Note: Do not edit your Root .htaccess file, don’t paste these codes in there. It must be /wp-admin/.htaccess if you don’t see that file then create a blank file, name it .htaccess in your wp-admin folder.

Then paste the following code:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
# whitelist Syed's IP address
allow from xx.xx.xx.xxx
# whitelist David's IP address
allow from xx.xx.xx.xxx
# whitelist Amanda's IP address
allow from xx.xx.xx.xxx
# whitelist Muhammad's IP address
allow from xx.xx.xx.xxx
# whitelist Work IP address
allow from xx.xx.xx.xxx
</LIMIT>

Paste your IP Address and upload the file.

Now if you have more than one IP make sure you list them there. For example, Work, Home, Vacation IP, if you ever use it. Each time you want to visit your wp-admin panel from another location, you would have to add an extra IP address. That is the only downside to this hack, but this will keep your wp-admin folder safe.

8 Shares
Share
Tweet
Share
Pin
Popular on WPBeginner Right Now!
  • How to Start Your Own Podcast (Step by Step)

    How to Start Your Own Podcast (Step by Step)

  • How to Properly Move Your Blog from WordPress.com to WordPress.org

  • Google Analytics in WordPress

    How to Install Google Analytics in WordPress for Beginners

  • Revealed: Why Building an Email List is so Important Today (6 Reasons)

    Revealed: Why Building an Email List is so Important Today (6 Reasons)

About the Editorial Staff

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi. Trusted by over 1.3 million readers worldwide.

The Ultimate WordPress Toolkit

40 Comments

Leave a Reply
  1. Mukund says:
    Apr 15, 2020 at 4:08 am

    How to find my ip address for hiding wp-admin folder?

    Reply
    • WPBeginner Support says:
      Apr 15, 2020 at 9:31 am

      There are multiple methods to find your IP, one of the simple ones would be to use a site like supportally.com

      Reply
  2. Chris says:
    Dec 9, 2018 at 9:40 am

    You have to enable
    module authz_groupfile
    “sudo a2enmod authz_groupfile”
    and restart apache

    Reply
  3. Rajat Shankhdhar says:
    Jun 18, 2018 at 1:41 pm

    Not working for me. Code restricting admin to get access even I put the ip in a whitelist.

    Reply
  4. Rostyslav says:
    Jan 11, 2018 at 12:38 pm

    After this line, you must put a condition for permission to allow php files to prevent conflicts:

    allow from all

    Reply
  5. Solace says:
    Nov 25, 2017 at 5:37 am

    I tried the .htaccess password protection method.

    It works, but I tried it on a site with Woocommerce, but then my customers weren’t able to log in.

    Just saying that because it seems no one has mentioned that it doesn’t work with sites that need customers to log in !

    Reply
  6. Miguel says:
    Jul 22, 2017 at 10:58 pm

    Hello, thank you for the tutorial. Unfortunately, I have not been able to make this .htaccess file to work correctly because it is denying access to the only IP address I included, my own… I am certain I copied your code exactly and I typed my IP correctly. The .htaccess file was saved under: /wp-admin/.htaccess

    Am I missing something? Thanks

    Reply
    • Miguel says:
      Jul 22, 2017 at 11:00 pm

      I must add that I am working on a localhost installation.

      Reply
    • WPBeginner Support says:
      Jul 23, 2017 at 7:49 pm

      Hi Miguel,

      Instead of your IP address, try adding 127.0.0.1

      That’s your localhost IP address. If adding the IP alone doesn’t work, then add the following line before the above code:

      Require local

      Reply
  7. Pankaj Murthalia says:
    Mar 16, 2017 at 1:48 am

    how to block the access to wp admin???

    Reply
  8. Emaan Ali says:
    Oct 11, 2016 at 3:38 am

    Hi Guys,

    I have blocked the wp-admin with .htaccess as mentioned in this article. But i am having one problem that my admin-ajax file is also being restricted on public site.

    My wordpress theme uses much of admin ajax functionality and that I have put the IP limitation access on wp-admin folder so its not accessible for all IP’s.

    Does anyone find the solution for this ? If so please share .

    Thanks in advance
    Emaan

    Reply
  9. Len says:
    Jan 30, 2016 at 10:13 am

    Hi, This seems really a helpful one. Maybe you could help me. Instead of whitelisting an IP can we allow access for specific countries in .htaccess file? Hoping you can help me. Thank you very much.

    Reply
  10. Bridget says:
    Dec 20, 2015 at 8:51 pm

    Thanks! This was the only solution that worked for me after trying so many :)

    Reply
  11. Scotty says:
    Nov 29, 2015 at 12:49 pm

    Hi, This does work. I checked and am “forbidden” to login on any other computer. I can’t even see the login panel. However, I am still getting about 24 failed log in attempts per day from all different IP addresses. Any ideas how there getting around this? It’s some kind of brute force attack? Thanks, Scott.

    Reply
    • WPBeginner Support says:
      Nov 29, 2015 at 1:13 pm

      Yes quite possibly. Make sure your .htaccess password is a difficult one.

      Reply
      • Scotty says:
        Dec 1, 2015 at 12:24 pm

        Thanks. Your site has been very helpful. If you have moment maybe you could answer one more question. I followed your tutorials — and they worked. I blocked access to my admin folder with htaccess and added a password on top of that. I tested and even if people were to break the password, which they haven’t, they wouldn’t have access to the folder from any IP address except mine. However, I’m still getting about 12 failed logins per day. Any ideas what is happening and where to go to fix it? I was hacked once, but cleared the files out of my uploads folder.

        Reply
      • Scotty says:
        Dec 1, 2015 at 1:06 pm

        NVM: This page answered my question for now. Great info
        https://www.wpbeginner.com/wp-tutorials/11-vital-tips-and-hacks-to-protect-your-wordpress-admin-area/

        Reply
  12. Sehrish says:
    Sep 10, 2015 at 7:24 am

    And how to allow access to only wordpress adminitrator ?What code i will write without any ip ? I just need to know a generic function that get admin related info.Becuse i have to restrict my plugin uploads from other user.And Whoever using this plugin i have to get its admin info to restrict contents from other and allow only to admin of website.

    Reply
  13. Praveen says:
    Sep 16, 2014 at 7:02 am

    Many Many thanks sir, I have test this on my localhost system it works very well.

    Reply
  14. Kim says:
    Apr 9, 2013 at 6:14 pm

    I tried this (after previously successfully password protecting my wp-admin directory and fixing the redirect error per your other article), but then I get a pop-up asking for a user name and password for the “WordPress Admin Access Control”. What user name and password am I supposed to be using for this new pop-up? Neither the wordpress admin logon nor the wp-admin directory logon work for it.
    Thanks!

    Reply
    • Kim says:
      Apr 9, 2013 at 10:33 pm

      Oh, I believe I figured out the problem; seems to work as long as I make sure to have the added code at the very beginning.

      Reply
  15. Jordyn says:
    Aug 21, 2012 at 3:49 pm

    I have a big problem :(

    I did what you said about creating the .htaccess and putting in the code snippet. It didn’t work so I deleted the .htaccess file and now I can’t login to my dashboard! It’s just a white screen :( Please help!!!

    Thanks

    Reply
    • Editorial Staff says:
      Aug 22, 2012 at 10:46 am

      That’s a fairly unlikely outcome. You deleted the .htaccess file in your /wp-admin/ folder correct?

      Reply
      • Jordyn says:
        Aug 27, 2012 at 11:04 pm

        All I did was create the file in my wp-admin folder and when it didn’t work I deleted it from the wp-admin folder. I’m not sure what happened but, after a crazy rabbit trail and many shots in the dark, I was able to correct the problem by adding to the top of my login.php file. I still don’t know what went wrong or why what I did fixed it…. but at least its fixed. I may try this again when I’m feeling brave.

        Reply
        • Jordyn says:
          Aug 27, 2012 at 11:06 pm

          it erased the code snippet :( it was supposed to say “…by adding “” to the top…”

        • Jordyn says:
          Aug 27, 2012 at 11:07 pm

          less than sign ? ob_start(); ? greater than sign

  16. Peter says:
    Aug 5, 2012 at 3:36 am

    First I did not manage to make your password protect work

    https://www.wpbeginner.com/wp-tutorials/how-to-password-protect-your-wordpress-admin-wp-admin-directory

    at least this one works.

    It is interesting, that I wp-admin page gets into an infinite redirect when I enter a wrong IP address, not my one.
    The infinite redirect seems to be hence an authorization problem.

    Reply
  17. Raheem Khan says:
    Jul 31, 2012 at 4:46 pm

    Hi WPB, I don’t think it will be working in Pakistan because every time we reset or turn of our DSL modem so the IP address automatically changes. if any other tip please reply me.
    Thanks

    Reply
    • Editorial Staff says:
      Jul 31, 2012 at 9:06 pm

      You should look at our tip for password protecting the wp-admin directory.

      Reply
  18. awan says:
    Oct 14, 2011 at 2:45 am

    yes it can be done on https, it’s just .htaccess

    Reply
  19. wpbeginnerfan says:
    Oct 12, 2011 at 1:31 pm

    Can this be done on https sites? I can’t get it to work.

    Reply
  20. andrew says:
    May 26, 2010 at 11:36 am

    hi, how to make .htaccess with dynamic ip (non static ip)
    my ip is always change xxx.xxx.xxx.12 xxx.xxx.xxx.453 xxx.xxx.xxx.076

    please help…

    Reply
    • Editorial Staff says:
      May 26, 2010 at 11:01 pm

      Then this solution is not for you.

      Reply
      • Joe says:
        Feb 4, 2014 at 2:10 pm

        You can harden your wordpress install via .htaccess whitelisting even if you have a dynamic IP address. You can whitelist a range of IP addresses using a /24 or /16 range. While this allows more access than if you always knew the IP you wanted to allow, it still prohibits access from almost the entire internet.

        Just add /24 to the end of the allow from line to allow the whole class C subnet (256 IPs), or add /16 to allow the whole 65,536 range. i.e.

        allow from xxx.xxx.xxx.0/24

        will allow access to IP addresses from xxx.xxx.xxx.0 – xxx.xxx.xxx.255. and

        allow from xxx.xxx.0.0/16

        will allow access from IP addresses from xxx.xxx.0.0 – xxx.xxx.255.255

        Reply
  21. Kyle says:
    Sep 21, 2009 at 11:23 am

    You say not to do the root site’s .htaccess file…why is that? Because you just want to limit access to the /wp-admin folder?

    So…if I wanted to have a WordPress site hosted externally but used as an internal company resource so that only people using IPs of our company could access it…if I edited the root folder’s .htaccess folder to only allow IPs from our domain…that would work the same way your /wp-admin fix is, but for the entire site, correct?

    Reply
    • Editorial Staff says:
      Sep 21, 2009 at 11:28 am

      Yes Kyle, the reason why we said do not put this code in the root file because then it will limit your site access to only these IP as well. But if you are trying to make a site just for your company’s staff can access it only from work, then you would want to put the .htaccess file in the root folder.

      Reply
      • Kyle says:
        Sep 21, 2009 at 11:45 am

        Fantastic…thank you for the quick reply! :D

        Reply
  22. Bill says:
    Sep 4, 2009 at 10:27 pm

    Why just limit GETs? You might want to limit POSTs as well!

    Reply
  23. Darrin says:
    Aug 17, 2009 at 9:45 am

    Nice tip. I will be doing this.

    Reply
    • Alim Bolar says:
      Aug 21, 2009 at 11:05 pm

      Can I limit access based on other criterias? Like I need only my laptop to access a particular folder.. I could access it from anywhere so it would be difficult to specify an IP as my internet access would be based on DHCP. Is there a unique identifier for every machine or something like that that can be used as a criteria?

      Reply

Leave a Reply Cancel reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.

Over 1,320,000+ Readers

Get fresh content from WPBeginner

Featured WordPress Plugin
WP Mail SMTP logo
WP Mail SMTP
Fix WordPress email delivery issues. #1 SMTP plugin. Learn More »
How to Start a Blog How to Start a Blog
I need help with ...
Starting a
Blog
WordPress
Performance
WordPress
Security
WordPress
SEO
WordPress
Errors
Building an
Online Store
Useful WordPress Guides
    • 7 Best WordPress Backup Plugins Compared (Pros and Cons)
    • How to Fix the Error Establishing a Database Connection in WordPress
    • Why You Need a CDN for your WordPress Blog? [Infographic]
    • 30 Legit Ways to Make Money Online Blogging with WordPress
    • Self Hosted WordPress.org vs. Free WordPress.com [Infograph]
    • Free Recording: WordPress Workshop for Beginners
    • 24 Must Have WordPress Plugins for Business Websites
    • How to Properly Move Your Blog from WordPress.com to WordPress.org
    • 5 Best Contact Form Plugins for WordPress Compared
    • Which is the Best WordPress Popup Plugin? (Comparison)
    • Best WooCommerce Hosting in 2021 (Comparison)
    • How to Fix the Internal Server Error in WordPress
    • How to Install WordPress - Complete WordPress Installation Tutorial
    • Why You Should Start Building an Email List Right Away
    • How to Properly Move WordPress to a New Domain Without Losing SEO
    • How to Choose the Best WordPress Hosting for Your Website
    • How to Choose the Best Blogging Platform (Comparison)
    • WordPress Tutorials - 200+ Step by Step WordPress Tutorials
    • 5 Best WordPress Ecommerce Plugins Compared
    • 5 Best WordPress Membership Plugins (Compared)
    • 7 Best Email Marketing Services for Small Business (2021)
    • How to Choose the Best Domain Registrar (Compared)
    • The Truth About Shared WordPress Web Hosting
    • When Do You Really Need Managed WordPress Hosting?
    • 5 Best Drag and Drop WordPress Page Builders Compared
    • How to Switch from Blogger to WordPress without Losing Google Rankings
    • How to Properly Switch From Wix to WordPress (Step by Step)
    • How to Properly Move from Weebly to WordPress (Step by Step)
    • Do You Really Need a VPS? Best WordPress VPS Hosting Compared
    • How to Properly Move from Squarespace to WordPress
    • How to Register a Domain Name (+ tip to get it for FREE)
    • HostGator Review - An Honest Look at Speed & Uptime (2021)
    • SiteGround Reviews from 4464 Users & Our Experts (2021)
    • Bluehost Review from Real Users + Performance Stats (2021)
    • How Much Does It Really Cost to Build a WordPress Website?
    • How to Create an Email Newsletter the RIGHT WAY (Step by Step)
    • Free Business Name Generator (A.I Powered)
    • How to Create a Free Business Email Address in 5 Minutes (Step by Step)
    • How to Install Google Analytics in WordPress for Beginners
    • How to Move WordPress to a New Host or Server With No Downtime
    • Why is WordPress Free? What are the Costs? What is the Catch?
    • How to Make a Website in 2021 – Step by Step Guide
Deals & Coupons (view all)
Keep Your WordPress Content Safe with BackupBuddy
BackupBuddy Coupon
Get 25% off BackupBuddy, the best and most popular WordPress backup plugin.
PanKogut
PanKogut Coupon
Get 20% OFF on PanKogut's premium WordPress themes collection.
Featured In
About WPBeginner®

WPBeginner is a free WordPress resource site for Beginners. WPBeginner was founded in July 2009 by Syed Balkhi. The main goal of this site is to provide quality tips, tricks, hacks, and other WordPress resources that allows WordPress beginners to improve their site(s).

Join our team: We are Hiring!

Site Links
  • About Us
  • Contact Us
  • FTC Disclosure
  • Privacy Policy
  • Terms of Service
  • Free Blog Setup
  • Free Business Tools
  • Growth Fund
Our Sites
  • OptinMonster
  • MonsterInsights
  • WPForms
  • SeedProd
  • Nameboy
  • RafflePress
  • Smash Balloon
  • AIOSEO

Copyright © 2009 - 2021 WPBeginner LLC. All Rights Reserved. WPBeginner® is a registered trademark.

Managed by Awesome Motive | WordPress hosting by SiteGround | WordPress Security by Sucuri.