How to lock out all traffic (except your IP) from WordPress Login and Admin pages

Today’s tutorial contains a couple of quick fixes which will block out everyone you don’t want from even trying to login to your site.

Please note, this will physically block all visitors who don’t come from your list of trusted IP addresses from:

  1. Attempting to login (by accessing wp-login.php); and
  2. Accessing the wp-admin directory at all

A couple of things to watch out for before we go any further: if you allow users to login to (for example) post comments or make purchases, then chances are you do not want to do anything in this page. You will block them all! Also, some ajax scripts require a file which lives in the wp-admin directory for certain “front end” actions, so this will break that. The code should be altered in those cases, but be aware, that this change may “break” something that was working before (inverted commas next to the word “break” because this code will be working as intended, only with an unintended consequence).

Block them from logging in through wp-login.php

Open up your .htaccess file, and add the following:

Be sure to replace X.X.X.X with your actual IP address. HINT: Google search “what’s my IP address” to find this out easily. Note it may change, and also note you may be behind a network or firewall which sets your IP – so maybe tomorrow it may be different. Be sure you have access to edit .htaccess in such a case!

Block access to wp-admin directory altogether

Blocking access to the login is a good start. Also, you can block our everyone but your admins, editors and authors from your wp-admin directory too… don’t let them in, don’t let them win.

To do this, the following .htaccess should be added into the top of the wp-admin directory (note this may need replacing after a WordPress update, so a script can help – contact us to book something like this as it is “advanced”).

Again, be sure to replace X.X.X.X with your real IP address, which you can Google up.

Adding more users

To add more users (well more IP addresses) simply add another line under Allow from X.X.X.X with Allow from Y.Y.Y.Y. There is no limit to the number of lines you can add here – one for each IP address where admin access is required.

Helped you today? Please leave a comment!

Leave a comment below if this helped you secure your WP install today, if only to make us fell good about posting this for the benefit of the Open Source community. This can be a great way to stop bad bots from repeatedly attempting logins on your site, by denying them access to even try.

Leave a Reply

Your email address will not be published. Required fields are marked *