Access to the WordPress Admin section is pivotal, but it should be restricted to unauthorized individuals, and using an IP address is a great way. There are several causes eradicated by blocking access via IP address, and we’ll mention them shortly. For now, know it is crucial from a security standpoint and will instill a sense of reliability and professionalism in your visitors. Plus, it will save you a lot of time-fighting bots and malicious individuals or comments from unwanted users or the public. We also propose protecting the Admin folder in WordPress by limiting access to the .htaccess file. Now, let’s show you how to create a WordPress Admin section IP restriction.
Reasons to add restrictions to IP addresses for WordPress admin
As you may know, an IP address corresponds to a unique device on the public or local network. Therefore, by stopping access, the user, real or programmed, cannot visit your WordPress admin sections unless they change the device or use a service such as a proxy or a VPN (a virtual private network). However, only the most persistent real users (hackers, spammers, those with a vendetta against you) would go to that length. Bots, crawlers, and other programmed shady tools and applications won’t. In both cases, you should also employ a security plugin for WordPress to increase the protection level. With that said, here’s why you should restrict an IP address in WordPress:
1. Stopping bots
Whether you have a rival who wants to take you down, a group of hackers that target your niche, or a random bot group that stumbled upon your website, the consequences can be serious. Detecting the IP address of the bots’ origin and blocking it from reaching your website can save you plenty of time and effort.
2. Preventing spam
Spam is one of the biggest troubles of the modern world since it’s easy to facilitate. If your site gets spammed, and you want to keep comments open to let genuine visitors can interact, tracking down IP addresses and forbidding them access is crucial. You prevent looking unprofessional and having to moderate the comment section. Plus, you keep your SEO (Search Engine Optimization) optimal. Additionally, you can keep your website safe from keyword spamming, brute force attacks, pharma hacking, and all kinds of injections, including SQL. Finally, you stop your precious visitors from falling for scams.
3. Blocking hackers
Hackers always seem like a distant threat until they target you, regardless of how that occurs. We already talked about finding and fixing a backdoor in WordPress. Though that isn’t a guarantee, combined with IP address blocking, it reduces the chance of DDoS (Distributed Denial of Service) and brute force attacks, the two primary sources of hacking endeavors.
4. Stopping unsanctioned users
A disgruntled former employee, an upset rival, or a group of tech-savvy people with a vendetta against your website can wreak havoc in a variety of ways. Though it’s unlikely the IP ban will stop them, the process will undoubtedly annoy them. That forces them to seek alternative ways to gain access. Once those are spotted, the owner can also double down and block the second set of IP addresses.
1. Block an IP address from gaining access via the .htaccess file in the “wp-admin” folder
Before we explain this method, we want to remind you that workarounds exist. As mentioned in the beginning, you can password protect the /wp-admin/ directory in the root folder of your website. In other words, you can turn on HTTP authentication with the .htaccess file inside that folder.
With that in mind, we’ll now point you to our “block IP address using .htaccess” guide. The process is identical, but the application is a tad different. First, you must go to the root/wp-admin/.htaccess file, not the one in the root folder like in the guide. Secondly, after right-clicking the file and selecting View/Edit, you shouldn’t include “allow from all” at the end. With that said, create a copy (name it .htaccess-old or download it), the file would look like this:
AuthUserFile /dev/null AuthGroupFile /dev/null AuthName “WordPress Admin Access Control” AuthType Basic <LIMIT GET> order deny,allow deny from all # whitelist (permit someone’s address, such as trusted admin) allow from xx.xx.xx.xxx # whitelist a second IP address allow from xx.xx.xx.xxx </LIMIT>
That would block all IP addresses but the admins and is the safest and most efficient way. You can also allow or block a range of IP addresses by using a shortened IP. In that case, only those whose first part matches will be allowed access, ideal for admins with dynamic IP addresses in a certain country. Three examples are
allow from xx.xx.xx and
deny from xx.xx and
allow from abc.de.fg.hi
Note. Advanced users can also look into editing the wp-login.php and wp-admin/admin-ajax.php files to up the ante on the protection of their websites through extra IP address blocking.
2. Use a WordPress plugin to create an Admin section IP restriction rule
Many users are uncomfortable editing important files such as the aforementioned one. Others seek extra protection without knowing editing the other .php files. In both cases, you can create an IP address restriction for WordPress Admin via plugins. Two choices include Secure Admin IP by Michal Novák or WP-Ban by Lester ‘GaMerZ’ Chan. We’re unaffiliated with either, but we’ll demonstrate the former:
- Install the WordPress plugin we mentioned first.
- Activate it, then expand the left sidebar on the left side and find Secure Admin IP.
- Go to the Options page → Settings page.
- Add an IP address under “whitelisted IP address” All addresses except those will be denied access. You can separate them however you like, and add commas, new rows, or dashes. As long as the IP address or the range is valid, the plugin will recognize it.
- Click the Save Changes button.
Additionally, for protection or troubleshooting, you may want to avoid using the default whitelist. If so, generate a new file in JSON format (.txt works well) and upload it to your server. Add IP addresses or ranges in this format:
Save the file, then point the plugin to the correct data path under “External whitelist URL” before clicking Save Changes.