Are you looking for a guide to learn how to restrict WordPress admin access by IP address?
I’m excited to teach you how to make it happen as a WP web developer (with 15+ years of experience).
You might ask yourself, WHY would I ever restrict it? I’ve never had any problems with hacks so I am sure my website is safe.
I feel you because I thought the same when I first started in the WordPress space.
But is it really?
This post covers:
- Why is restricting WordPress admin important?
- How to restrict WordPress admin by IP
- How to find IP
- Using login IP & country restriction WordPress plugin
- Limit IP access by country
- FAQs about restricting WordPress admin access
Why Is Restricting WordPress Admin Important?
When I was developing WordPress themes for PremiumCoding, the DDoS attacks were common and we even had a hack through the WordPress login form.
While the situation improved in the years with better security in WordPress, themes, and plugins, it still DOESN’T hurt to add that extra layer of security.
Just so you’ll sleep better and not worry about hackers trying to bring down your WordPress website.
Which, by the way, sucks big times in case it happens.
And hacks can be very damaging even if you don’t have an eCommerce website.
Hacks can destroy your online business
Intruders can steal your data or distribute malware and phishing scripts to your website which will then take advantage of your visitors.
Attention: Your domain can even get blacklisted because of that!
And that can destroy your website’s reputation and plunges your organic visits down to ABSOLUTE zero.
If your team is not big, the easiest thing you can do is simply restrict the access by IP addresses.
This allows only your writing team members to login into your WordPress administration panel (and make backend changes they want).
Even if a hacker knows your username and password, there is no way he can hack the website.
They will get the error message: “Forbidden. You don’t have permission to access this resource.”
How To Restrict WordPress Admin By IP
You will HAVE to gather all the IP addresses of your writers, employees, and anyone else that needs access to the administration panel of your website.
The only problem you might run into is if one of them has a dynamic IP.
Or if he/she moves a lot as you would have to change the IP address each time.
How to find IP
They can learn their IP by simply writing into Google search: “What is my IP”.
You can limit IP access by editing the .htaccess file on your website. (Ensure you first make a backup in case you do any edits. We have a full list of the best free WordPress backup plugins to make it happen safely.)
But, you need an FTP client for that, and editing this important file can sometimes lead to SERIOUS issues (if you aren’t 100% sure what you’re doing).
That’s why I recommend using a plugin for this task.
It’s much easier and safer.
Plus, very beginner-friendly.
Install and activate Login IP & Country Restriction plugin.
Please refer to our tutorial if you are not yet familiar with WordPress plugin installation.
Using Login IP & Country Restriction WordPress plugin
After you successfully install and activate the plugin go to its settings.
You will notice that you can limit the IP by country, too.
For instance, we had a lot of attacks from India (on PremiumCoding) at one point, so we just restricted all visitors from there to prevent further attacks.
To restrict certain IP addresses click on the IP restriction tab.
You will notice that you have two options.
You can either ALLOW specific IPs or BLOCK them.
Both options can be useful if you know how to use them. (It’s easy!)
To restrict every IP address, but the select few, simply add all your team members’ IPs to the Allow specific IPs field.
On the other hand, if you are only having issues with a few ANNOYING hackers and you can see their IPs, you can block them here.
Limit IP access by country
Restricting by country can be useful if you see attacks only from specific parts of the world.
Or if you have a local business, you can block the rest of the world as you don’t really need visits from there.
If that is the case it’s much faster to disable certain countries and forget about suspicious activity altogether.
AND you’re done.
Your website is now much safer and you don’t have to worry about hackers trying to get through your WordPress administration login.
FAQs About Restricting WordPress Admin Access
What is IP address restriction in WordPress?
IP address restriction allows you to limit access to your WordPress admin area by only allowing specific IP addresses to log in. This enhances security by preventing unauthorized access.
How do I restrict WordPress admin access to specific IP addresses?
You can restrict access by editing the “.htaccess” file in your WordPress directory or using security plugins that offer IP whitelisting features.
Can I restrict admin access without using plugins?
Yes, by editing the “.htaccess” file and adding rules that deny access to the wp-admin directory for all IP addresses except those you specify.
Is it possible to restrict access to multiple IP addresses?
Yes. You can list multiple IP addresses in the “.htaccess” file or in the settings of a security plugin that supports multiple entries.
What if my IP address changes frequently?
If your IP changes often, IP restriction might not be ideal. Alternatively, use two-factor authentication for a similar level of security.
How do I find my IP address to whitelist it?
You can find your IP address by visiting a website like “whatismyip.com” or through your network settings.
What should I do if I get locked out of my WordPress admin?
If locked out, access your website via FTP or your hosting control panel and modify the “.htaccess” file to remove the restrictions or correct the IP address.
Can I restrict access to specific pages in the admin area?
Yes, plugins like Adminimize let you hide menu items and sections for different user roles.
How can I prevent unauthorized login attempts?
Use security plugins like Wordfence or Loginizer to limit login attempts and add CAPTCHA to your login page.