WP Assistant
By Atiba

Restrict wp-admin and wp-login by IP in .htaccess

This Q&A explains how to lock down wp-admin and wp-login.php access by specific IP addresses. The conversation walks through editing your WordPress root .htaccess file and adding directives for mod_authz_core or mod_access_compat. You’ll get clear steps to update your file and test the restriction safely.

How do I lock down wp‑admin access by IP address?

Here’s a way to restrict access to your wp-admin directory by IP address:

Warning: If these steps are applied incorrectly, you could lock yourself out. Make sure you have FTP access or a backup of your .htaccess file before proceeding.

Method: Using the .htaccess file

This approach requires editing the .htaccess file in your WordPress installation’s root.

  1. Locate the .htaccess file:
    • Connect via FTP or your hosting control panel’s file manager.
    • Look in the same folder as wp-config.php and wp-content.
    • Enable “show hidden files” if you don’t see it, since it starts with a dot.
  2. Edit the .htaccess file:
    • Back up the file before making changes.
    • Add the following snippet before # BEGIN WordPress:
    <IfModule mod_rewrite.c>
  <IfModule mod_authz_core.c>
    <RequireAny>
      Require ip xxx.xxx.xxx.xxx
      Require ip yyy.yyy.yyy.yyy
      Require ip 127.0.0.1
    </RequireAny>
  </IfModule>
</IfModule>
    • Swap xxx.xxx.xxx.xxx and yyy.yyy.yyy.yyy with the IPs you want to allow.
    • 127.0.0.1 lets the server itself through; remove it if it’s not needed.

    To lock down the login page too, add:

    <Files wp-login.php>
  <IfModule mod_rewrite.c>
    <IfModule mod_authz_core.c>
      <RequireAny>
        Require ip xxx.xxx.xxx.xxx
        Require ip yyy.yyy.yyy.yyy
        Require ip 127.0.0.1
      </RequireAny>
    </IfModule>
  </IfModule>
</Files>

    If your server uses mod_access_compat instead of mod_authz_core, you can use this instead:

    <IfModule mod_rewrite.c>
  Order deny,allow
  Deny from all
  Allow from xxx.xxx.xxx.xxx
  Allow from yyy.yyy.yyy.yyy
  Allow from 127.0.0.1
</IfModule>
  3. Upload the edited file: Save your changes and overwrite the existing .htaccess on the server.
  4. Verify your setup:
    • Visit yourdomain.com/wp-admin from a blocked IP—you should see a “403 Forbidden” error.
    • Try again from an allowed IP—you should reach the login page.
Continue Chat

Related