How to lock out all traffic (except your IP) from WordPress Login and Admin pages

Today’s tutorial contains a couple of quick fixes which will block out everyone you don’t want from even trying to login to your site.

Please note, this will physically block all visitors who don’t come from your list of trusted IP addresses from:

  1. Attempting to login (by accessing wp-login.php); and
  2. Accessing the wp-admin directory at all

A couple of things to watch out for before we go any further: if you allow users to login to (for example) post comments or make purchases, then chances are you do not want to do anything in this page. You will block them all! Also, some ajax scripts require a file which lives in the wp-admin directory for certain “front end” actions, so this will break that. The code should be altered in those cases, but be aware, that this change may “break” something that was working before (inverted commas next to the word “break” because this code will be working as intended, only with an unintended consequence).

Block them from logging in through wp-login.php

Open up your .htaccess file, and add the following:

Be sure to replace X.X.X.X with your actual IP address. HINT: Google search “what’s my IP address” to find this out easily. Note it may change, and also note you may be behind a network or firewall which sets your IP – so maybe tomorrow it may be different. Be sure you have access to edit .htaccess in such a case!

Block access to wp-admin directory altogether

Blocking access to the login is a good start. Also, you can block our everyone but your admins, editors and authors from your wp-admin directory too… don’t let them in, don’t let them win.

To do this, the following .htaccess should be added into the top of the wp-admin directory (note this may need replacing after a WordPress update, so a script can help – contact us to book something like this as it is “advanced”).

Again, be sure to replace X.X.X.X with your real IP address, which you can Google up.

Watch out for Ajax

Ajax, in WordPress, on the backend and the front-end uses a location within wp-admin. This means that ajax functions in your site won’t work (literally the user will be disallowed from accessing ajax) if you simply add the above to wp-admin directory.

For this reason, if you use, or intend to use, ajax on your site, then you may like to add the following:

Test that you can run ajax on the front end after doing this (hint, one way you can confirm this is by running, for example, a WordFence scan, which won’t work until and unless you add this).

Adding more users

To add more users (well more IP addresses) simply add another line under Allow from X.X.X.X with Allow from Y.Y.Y.Y. There is no limit to the number of lines you can add here – one for each IP address where admin access is required.

Helped you today? Please leave a comment!

Leave a comment below if this helped you secure your WP install today, if only to make us feel good about posting this for the benefit of the Open Source community. This can be a great way to stop bad bots from repeatedly attempting logins on your site, by denying them access to even try.

Want us to do it for you?

Get all this great stuff for your site with expert assistance from Silicon Dales – get in touch to make a booking.

Leave a comment

No links of any kind allowed in comments - if you add any links, your comment will automatically be deleted.