Restrict access to wordpress admin login by ip address

It's important that you make your WordPress admin area as secure as possible to keep out unwanted visitors. The code snippet in this article shows you how you can block access to your WordPress login area by IP address using htaccess.

Why bother restricting access by IP?

In a recent article 'Protecting your email account from being hacked' we looked at how Brute Force can be used to essentially 'guess' your password, here's a snippet:

One of the most common methods of password cracking is what's known in cryptography as 'Brute force' which basically involves a computer (or several) rapidly making multiple attempts to essentially 'guess' your password. Sounds unlikely right? You'd be surprised. With modern day computing power this method can actually be highly effective. In a recent experiment by Ars Technica 14,800 passwords out of 16,449 with passwords up to 16 characters in length with mixed letters and numbers were cracked in hours. Over 10,000 passwords were cracked in the first 16 minutes. Is your password more complicated than 'qeadzcwrsfxv1331'?

By locking your admin area down to your IP address, this blocks any other person or server from making login attempts, preventing brute force attacks.

Block access to wp-admin using htaccess

To block access to the wordpress admin login area using htaccess simply add the following code above the line that reads '# BEGIN WordPress' inside your .htaccess file that can be found in the root of your web site:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteRule . /index.php [L]

You can obtain your IP address by typing 'What's my IP' into Google.

Adding the above code will redirect anyone not on that specific IP back to the home page. If you'd prefer to just display a 'Forbidden access' error the you could replace the rewrite rule with the following:

RewriteRule ^(.*)$ - [R=403,L]

Limit login attempts to WordPress

Another good approach to making your login area more secure and prevent against brute force attacks is to install a plugin that will limit the number of login attempts that can be made before the user is locked out of the system for several minutes (thus significantly limiting the number of attempts that can be made). A popular, simple plugin for this is 'Limit Login Attempts' available for free. 

One thing to keep in mind with this plugin is that it will block attempts by IP address, so if your site is used by a large office all running on the same IP, then failed login attempts would be grouped and would potentially lock everyone out. 

Sign Up

NEXT: Creating a custom login form in WordPress

How to create a custom login form in WordPress and account for any redirecting scenarios.

comments powered by Disqus

Popular Tags

Need a web developer?

If you'd like to work with code synthesis on your next project get in touch via the contact page.