As an experienced webmaster, I highly recommend restricting WordPress admin access by IP address. It adds a critical layer of security that can protect your site from the serious damage hackers can cause.
In this comprehensive guide, I‘ll explain in-depth how IP banning works, why it‘s important for securing WordPress, and walk you through exactly how to set it up step-by-step.
Contents
The Dangers of a WordPress Hack
With over 43% market share, WordPress is the world‘s most popular CMS. Unfortunately, this high usage also makes WordPress a major target for hackers.
WordPress sites get attacked over 390,000 times per day on average! Once hacked, attackers can do serious damage:
- Steal user data like emails and passwords
- Inject malware to infect your site visitors
- Delete all site content and databases
- Use your site for phishing scams
- Distributed denial of service (DDoS) attacks on other sites
- Get your site blacklisted by Google for distributing spam or malware
The financial and reputational damages can be immense. So securing WordPress should be priority one as an admin.
Why Restrict WordPress Admin by IP Address?
The WordPress core software itself is very secure when kept updated. However, the weak point is often privileged administrator accounts.
If a hacker can guess or phish an admin username and password, they gain full access to the site.
Restricting WordPress login access to only your IP address can prevent 99% of unauthorized logins.
Hackers typically attack from random IP addresses worldwide. If you limit access to just your office and home IPs, hackers won‘t be able to get in even with a valid password.
How IP Banning for WordPress Admin Works
When you try to access the /wp-admin/ area of a WordPress site, the web server checks your current IP address against a set of access rules defined in .htaccess.
This is the same .htaccess file you may use to customize other aspects of the site.
If your IP is allowed by the rules, you are granted access. If not, you are denied access with a 403 forbidden error.
So by defining a whitelist of approved IP addresses, you can restrict the /wp-admin/ login page and dashboard.
Step-by-Step Guide to Restrict WordPress Admin by IP
Restricting admin access by IP is straightforward for those comfortable editing website files. Just follow these steps:
1. Find Your Admin IP Addresses
First, make a list of the public IP addresses used by all WordPress admins that need access.
Visit WhatIsMyIPAddress.com to find your current public IP. Make sure to check and note down the IP from each location you access the site from.
2. Edit /wp-admin/.htaccess File
Using an FTP client or file manager, edit the .htaccess file located in /wp-admin/ folder.
If it doesn‘t exist, create a new .htaccess file in that directory.
Caution: Only edit the /wp-admin/.htaccess file, not root .htaccess. Modifying root .htaccess can block the public site.
3. Add IP Access Control Rules
Add the following rules to .htaccess, replacing the example IPs with your actual admin IPs:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Admin Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
allow from 123.123.123.123
allow from 234.234.234.234
allow from 345.345.345.345
</LIMIT>This will:
- Deny all IP addresses by default
- But allow the listed IP addresses to access /wp-admin/
4. Save Changes
Save your changes to .htaccess. Now when you or other admins visit /wp-admin/, your IP will grant access while all other IPs are blocked.
Adding or Changing Allowed Admin IPs
If an admin accesses the site from a new location and gets blocked, you‘ll need to add their new IP address to the allowed list.
Simply open /wp-admin/.htaccess again and add a new allow from IP_ADDRESS rule with their latest IP.
Similarly, if an existing admin‘s IP address changes, update the rule with their new IP.
This gives you flexibility to securely manage admin access as IPs change.
Extending Protection with Login LockDown
The Login LockDown plugin for WordPress offers extended login security on top of IP banning.
Key features include:
- Automatic lockout after a set number of failed login attempts
- Temporarily blacklist IP addresses with repeated failed logins
- Require two-factor authentication for admin logins
- Monitor login activity and alerts for suspicious behavior
Used together, Login LockDown and IP banning provide robust security for your admin logins.
Conclusion
Restricting WordPress admin access by IP address takes just minutes to setup but provides immense security benefits.
It protects your admin login even if a hacker has valid usernames and passwords. By only allowing your known IP addresses, you eliminate nearly all unauthorized login attempts.
Combined with other security practices like strong passwords, auto updates, and the Login LockDown plugin, IP banning can help keep your WordPress site locked down.
As an experienced webmaster, I highly recommended making it part of your overall WordPress security strategy. Please let me know in the comments if you have any other questions!
