Restrict wp-admin.php to specific IPs

Protection Requirement:

SPECIAL

>Works if limited number of people access and have semi-permanent IP allocation.

Skills/Resources:

>Edit system files
>Text editor

THE THREAT
The wp-admin.php is the target of hackers. By default, you can access this page from anywhere and everywhere, which is convenient, but also a security risk.

THE OBJECTIVE
Specify IPs that can access wp-admin.php and block all others.

PROPOSED SOLUTION

Edit the .htaccess files to add a list of IPs can be created that are allowed access, commonly referred to as a ‘whitelist’. This prevents unknown IPs from attempting password guesses.

Add this code to the root folder’s .htaccess:

<LIMIT GET>
order deny,allow
deny from all

# static IP
allow from xxx.xxx.xxx.xxx

# dynamic IP
allow from xxx.xxx.xxx.0/8
allow from xxx.xxx.0.0/8

</LIMIT>

If you are not sure of your IP address just type “what is my ip” into Google and it will tell you.
Underneath you will see a multitude of websites that will give you your exact IP address with more information.

See also http://protectyourbusinessonline.com/security/restrict-wp-login-php-to-specific-ips/

Alternative approach using plugin

The above solution enables you to specify exactly what IPs have access. There is an alternative approach using a plugin that allows all IPs but blocks those with repeated failed login attempts. See http://protectyourbusinessonline.com/security/protect-login-from-brute-force-attacks/

MORE ADVANCED
none

NEED HELP?
If you need help implementing this and other security measures then Virtual Webmaster Services can help. Visit Virtual Webmaster Services