Are you looking to restrict access to your wp-login.php file in WordPress based on IP address?
The WordPress login page is frequently targeted by DDoS attacks and hackers aiming to infiltrate your website. By limiting access to designated IP addresses, you can effectively prevent these unauthorized attempts.
In this guide, we will demonstrate how to easily restrict access to your wp-login.php file in WordPress by IP address.
Why Should You Restrict Access to wp-login.php by IP Address?
The login page for a WordPress site, commonly known as wp-login.php, is where users enter their credentials to access your site.
As a website owner, this page grants you entry to the WordPress admin dashboard, allowing you to maintain your site, create content, and manage various aspects of your website.
Unfortunately, common brute force attacks often target the wp-login.php page in an attempt to breach websites. Even unsuccessful attempts can slow down your site or potentially cause it to crash.
A practical approach to mitigate this issue is to block the IP addresses from which the attacks originate (we will discuss this further in the article).
An IP address functions like a phone number, uniquely identifying a specific computer on the internet. Hackers can employ software to alter their IP addresses.
However, more advanced attacks may utilize a wider range of IP addresses, making it difficult to block all of them.
In such cases, you can restrict access to the wp-login.php file to specific IP addresses that belong to you and other authorized users of your website.
Now, let’s explore three simple methods to limit access to the wp-login.php file based on specific IP addresses, including the use of a cloud security firewall.
1. Restrict Access to the WordPress Login Page by IP Address
For this approach, you will need to insert some code into your .htaccess file.
The .htaccess file is a crucial server configuration file located in the root directory of your website, which you can access via FTP or the File Manager tool in your WordPress hosting control panel.
Connect to your WordPress site using an FTP client and open your .htaccess file to add the following code at the beginning.
order deny,allow Deny from all # Allow access from your own IP address
allow from xx.xxx.xx.xx # Allow access from another user's IP address
allow from xx.xxx.xx.xx
Remember to replace the XXs with your actual IP addresses. You can easily find your IP address by visiting the SupportAlly page.
If you have additional users who need access to your website, request their IP addresses and add them to the .htaccess file.
Here is another example of the previously mentioned code.
order deny,allow Deny from all # Allow John as the website administrator
allow from 35.199.128.0 # Allow Tina as an Editor
allow from 108.59.80.0
# Allow Ali as a moderator
allow from 216.239.32.0
Now, users with these specified IP addresses can access the wp-login.php file and log in to your website. Other users will encounter the following error message:
2. Blocking Specific IP Addresses from Accessing Your Website
This approach is completely different from the first method.
Instead of restricting access to the WordPress login page for certain IP addresses, you will block IP addresses that are used to attack your website.
This method is especially beneficial for WordPress membership sites, eCommerce platforms, or any site where multiple users need to log in to access their accounts.
The downside of this method is that hackers can change their IP addresses and continue their attacks on your website.
Many common WordPress hacking attempts originate from a limited number of IP addresses, making this method effective for most situations.
Step 1: Identify the IP Addresses You Need to Block
First, locate the IP addresses that have been used to attack your website.
The simplest way to identify these IP addresses is by reviewing your server logs. Access your hosting account control panel and click on the ‘Raw Access’ logs icon.
On the following page, select your domain name to download the access logs, which will be in a gz compressed file format.
You will need to extract the file and open it using a text editor such as Notepad or TextEdit.
From there, you can identify the IP addresses that are frequently accessing the wp-login.php page.
Copy and paste these IP addresses into a new text file on your computer.
Step 2: Block Suspicious IP Addresses
Next, log in to your WordPress hosting control panel and click on the ‘IP Blocker’ icon.
On the next screen, simply paste the IP addresses you wish to block and click the ‘Add’ button.
Repeat this process to block any additional suspicious IP addresses.
Congratulations! You have effectively blocked suspicious IP addresses from accessing your website.
If you need to unblock any of these IP addresses in the future, you can easily do so using the IP blocker application.
3. Securing WordPress Login with a Website Firewall
As a website administrator, you may prefer not to spend excessive time managing which IP addresses can access your WordPress login page.
The simplest way to secure your WordPress login pages is by utilizing Sucuri, the top WordPress firewall that includes a comprehensive security plugin.
Sucuri’s website firewall automatically blocks suspicious IP addresses from accessing critical WordPress core files, preventing them from reaching your site.
This approach also enhances your WordPress performance and speed by preventing suspicious activities from slowing down your server.
Additionally, Sucuri features a built-in CDN network that automatically serves static files like images, stylesheets, and JavaScript from a server closer to your users.
You can easily whitelist IP addresses for users who are having trouble accessing the WordPress login pages.
Alternative Options:MalCare or Cloudflare Free CDN
This article provides valuable insights on how to restrict access to your wp-login.php file based on IP address. For more comprehensive security measures, check out our complete WordPress security guide and additional tips for safeguarding the WordPress admin area.
If you enjoyed this article, consider subscribing to our YouTube Channel for informative WordPress video tutorials. You can also connect with us on Twitter and Facebook.
