Protecting the wp-admin directory in your WordPress website is one of the most important security steps you can take. If you only administer your site from a few locations (or less), it’s easy to restrict access to wp-admin to your own IP address.
Determine the Allowed IP Addresses
First you must figure out the IP addresses you want to access your WordPress Admin dashboard from.
To do this, simply type “what is my ip address” into Google from the computers you plan on using. This will return your public IP address.
If you typically work on your WordPress websites from home, keep in mind that most home Internet Service Providers don’t assign static IP addresses. Your IP address will eventually change and you’ll have to go back and modify the setting we’re about to change in the next session.
If you’re working from a business office, chances are the IP address will never change.
Modifying the .htaccess File
Your .htaccess file can be accessed either by FTP to your web hosting company or through the File Manager in cPanel.
Open your .htaccess file and add the following lines of code to the top while changing the 192\.168\.1\1 to match the IP addresses you wish to access your wp-admin directory from.
# BEGIN wp-admin restriction based on IP address
RewriteEngine on
RewriteCond %REQUEST_URI ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %REQUEST_URI ^(.*)?wp-admin$
RewriteCond %REMOTE_ADDR !¹⁹²\.168\.1\.1$
RewriteCond %REMOTE_ADDR !¹⁹²\.168\.1\.1$
RewriteCond %REMOTE_ADDR !¹⁹²\.168\.1\.1$
RewriteRule ^(.*)$ — [R=403,L]
# END IP restriction
The above example has 3 lines for different IP addresses, but if you only had one IP address you wanted to whitelist, you could delete the other two lines.
Additionally, you could add more lines to whitelist more IPs. In theory, there’s no limit to the number of IPs you could add to the list.
Special Considerations
Depending on which plugins you use on your site, it’s possible you may also need to add your site’s own IP address into the whitelist as well.
This is because some applications call back anonymously to the wp-admin portion of their own site. Central management dashboards such as MainWP do this as part of their normal operation. Without the site’s own IP in the whitelist, these callbacks will fail.
Restricting wp-admin Access: Conclusion
Obviously, restricting wp-admin by IP isn’t the end all of WordPress security. There are plenty of other things you should be doing to lock down your websites.
However, it’s important as part of a comprehensive security plan.