Are you looking for a guide to learn how to restrict WordPress admin access by IP address?
I’m excited to teach you how to make it happen as a WP web developer (with 15+ years of experience).
You might ask yourself, WHY would I ever restrict it? I’ve never had any problems with hacks so I am sure my website is safe.
I feel you because I thought the same when I first started in the WordPress space.
But is it really?
This post covers:
- Why is restricting WordPress admin important?
- How to restrict WordPress admin by IP
- How to find IP
- Using login IP & country restriction WordPress plugin
- Limit IP access by country
Why Is Restricting WordPress Admin Important?
When I was developing WordPress themes for PremiumCoding, the DDoS attacks were common and we even had a hack through the WordPress login form.
While the situation improved in the years with better security in WordPress, themes, and plugins, it still DOESN’T hurt to add that extra layer of security.
Just so you’ll sleep better and not worry about hackers trying to bring down your WordPress website.
Which, by the way, sucks big times in case it happens.
And hacks can be very damaging even if you don’t have an eCommerce website.
Hacks can destroy your online business
Intruders can steal your data or distribute malware and phishing scripts to your website which will then take advantage of your visitors.
Attention: Your domain can even get blacklisted because of that!
And that can destroy your website’s reputation and plunges your organic visits down to ABSOLUTE zero.
If your team is not big, the easiest thing you can do is simply restrict the access by IP addresses.
This allows only your writing team members to login into your WordPress administration panel (and make backend changes they want).
Even if a hacker knows your username and password, there is no way he can hack the website.
They will get the error message: “Forbidden. You don’t have permission to access this resource.”
How To Restrict WordPress Admin By IP
You will HAVE to gather all the IP addresses of your writers, employees, and anyone else that needs access to the administration panel of your website.
The only problem you might run into is if one of them has a dynamic IP.
Or if he/she moves a lot as you would have to change the IP address each time.
How to find IP
They can learn their IP by simply writing into Google search: “What is my IP”.
You can limit IP access by editing the .htaccess file on your website. (Ensure you first make a backup in case you do any edits. We have a full list of the best free WordPress backup plugins to make it happen safely.)
But, you need an FTP client for that, and editing this important file can sometimes lead to SERIOUS issues (if you aren’t 100% sure what you’re doing).
That’s why I recommend using a plugin for this task.
It’s much easier and safer.
Plus, very beginner-friendly.
Install and activate Login IP & Country Restriction plugin.
Please refer to our tutorial if you are not yet familiar with WordPress plugin installation.
Using Login IP & Country Restriction WordPress plugin
After you successfully install and activate the plugin go to its settings.
You will notice that you can limit the IP by country, too.
For instance, we had a lot of attacks from India (on PremiumCoding) at one point, so we just restricted all visitors from there to prevent further attacks.
To restrict certain IP addresses click on the IP restriction tab.
You will notice that you have two options.
You can either ALLOW specific IPs or BLOCK them.
Both options can be useful if you know how to use them. (It’s easy!)
To restrict every IP address, but the select few, simply add all your team members’ IPs to the Allow specific IPs field.
On the other hand, if you are only having issues with a few ANNOYING hackers and you can see their IPs, you can block them here.
Limit IP access by country
Restricting by country can be useful if you see attacks only from specific parts of the world.
Or if you have a local business, you can block the rest of the world as you don’t really need visits from there.
If that is the case it’s much faster to disable certain countries and forget about suspicious activity altogether.
AND you’re done.
Your website is now much safer and you don’t have to worry about hackers trying to get through your WordPress administration login.