Restrict wp-login.php to specific IPs

Protection Requirement:


>Works if limited number of people access and have semi-permanent IP allocation.


>Edit system files
>Text editor

The wp-login.php is the target of hackers. By default, you can access this page from anywhere and everywhere, which is convenient, but also a security risk.

Specify IPs that can access wp-login.php and block all others.


Edit the .htaccess files to add a list of IPs can be created that are allowed access, commonly referred to as a ‘whitelist’. This prevents unknown IPs from attempting password guesses.

Add this code to the root folder’s .htaccess:

<files wp-login.php>
order deny,allow
deny from all

# static IP
allow from

# dynamic IP
allow from
allow from

Enter actual IPs in place of If you know your actual IP, stick with static (just be aware that you will need to update it if it changes) or use dynamic if you need to allow a range of IPs.

If you are not sure of your IP address just type “what is my ip” into Google and it will tell you.
Underneath you will see a multitude of websites that will give you your exact IP address with more information.

See also

Alternative approach using plugin

The above solution enables you to specify exactly what IPs have access. There is an alternative approach using a plugin that allows all IPs but blocks those with repeated failed login attempts. See


If you need help implementing this and other security measures then Virtual Webmaster Services can help. Visit Virtual Webmaster Services