Restrict wp-login.php to specific IPs

Protection Requirement:

SPECIAL

>Works if limited number of people access and have semi-permanent IP allocation.

Skills/Resources:

>Edit system files
>Text editor

THE THREAT
The wp-login.php is the target of hackers. By default, you can access this page from anywhere and everywhere, which is convenient, but also a security risk.

THE OBJECTIVE
Specify IPs that can access wp-login.php and block all others.

PROPOSED SOLUTION

Edit the .htaccess files to add a list of IPs can be created that are allowed access, commonly referred to as a ‘whitelist’. This prevents unknown IPs from attempting password guesses.

Add this code to the root folder’s .htaccess:

<files wp-login.php>
order deny,allow
deny from all

# static IP
allow from xxx.xxx.xxx.xxx

# dynamic IP
allow from xxx.xxx.xxx.0/8
allow from xxx.xxx.0.0/8
</files>

Enter actual IPs in place of xxx.xxx.xxx.xxx. If you know your actual IP, stick with static (just be aware that you will need to update it if it changes) or use dynamic if you need to allow a range of IPs.

If you are not sure of your IP address just type “what is my ip” into Google and it will tell you.
Underneath you will see a multitude of websites that will give you your exact IP address with more information.

See also http://protectyourbusinessonline.com/security/restrict-wp-admin-php-to-specific-ips/

Alternative approach using plugin

The above solution enables you to specify exactly what IPs have access. There is an alternative approach using a plugin that allows all IPs but blocks those with repeated failed login attempts. See http://protectyourbusinessonline.com/security/protect-login-from-brute-force-attacks/

MORE ADVANCED
none

NEED HELP?
If you need help implementing this and other security measures then Virtual Webmaster Services can help. Visit Virtual Webmaster Services