Do you want to restrict access to your WordPress admin area for security reasons?
If you have a small team, then one good solution is to restrict access to only those IP addresses used by team members.
In this article, we will show you how to restrict WordPress admin access by IP address.
Why Restrict WordPress Admin Access by IP Address?
If you are running a WordPress website, then you need to take your website’s security seriously. While WordPress core software is very secure, there’s more that you can do to protect yourself from hackers.
Hackers can take down your website, as well as damaging your revenue and reputation. They can steal data or even distribute malware to your website visitors and get your domain blacklisted by Google and others.
One smart way to block hackers is by protecting your WordPress admin area from unauthorized access.
If only you or a few trusted users need access to the admin area, then a good way to do that is to limit access to wp-admin to your team’s IP addresses.
Each team member will connect to your website using a specific IP address for each location. If you block access to all other IP addresses, then a hacker won’t be able to gain access to your website even if they have discovered your username and password.
Instead, they will see the error message: ‘Forbidden. You don’t have permission to access this resource.’
Let’s take a look at how to restrict WordPress admin access by IP address.
How to Restrict WordPress Admin Access by IP Address
The first thing you need to do is make a list of the IP addresses used by everyone you need to log in to your WordPress website. If someone works from several locations, then you will need to collect the IP address for each one.
They can learn their IP address by visiting a site like SupportAlly.
Once you have made your list, then you will need to edit a file on your website. You’ll have to use an FTP client or your hosting provider’s file manager app. If you haven’t used FTP before, then you may want to see our guide on how to use FTP to upload files to WordPress.
You will need to use the software to navigate to your website’s
/wp-admin/ folder. Once there, you should look for the
.htaccess file. This is a hidden file, so if you can’t see it, then you may need to enable the show hidden files option in your software.
If that file doesn’t exist in the folder, then you should create a new file and save it with the name
.htaccess in your
Warning: Do not edit your root .htaccess file, or you will lock visitors out of your website’s front end! Make sure you are editing
You should first download a copy of the file to your computer as a backup. Once you’ve done that, you will need to edit
.htaccess and paste the following code:
AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "WordPress Admin Access Control" AuthType Basic <LIMIT GET> order deny,allow deny from all # whitelist Syed's IP address allow from xx.xx.xx.xxx # whitelist David's IP address allow from xx.xx.xx.xxx # whitelist Amanda's IP address allow from xx.xx.xx.xxx # whitelist Muhammad's IP address allow from xx.xx.xx.xxx # whitelist Work IP address allow from xx.xx.xx.xxx </LIMIT>
Go ahead and edit the file to match the names of your own team members, and then paste in the IP addresses you collected earlier to replace where it says
Once you save the file, only those IP addresses will be able to access WordPress admin.
Remember that if your IP address changes or you try to access your website from a new location, then you will be locked out of your WordPress admin area. You will need to add your new IP address to the
We hope this tutorial helped you learn how to restrict WordPress admin access by IP address. You may also want to learn how to get a free SSL certificate for your website or check out our list of the must-have plugins to grow your site.