How to Set IP Restrictions to the WordPress Login Page

how to set ip restrictions

Keeping your WordPress website safe from potential hackers is no cakewalk. Proactivity is the key to keeping your site secure. For starters, this means installing security plugins and setting strong passwords. However, that is hardly the end of it. To prevent hackers from getting hold of your information, you will need to take some additional steps to avoid potential attacks.

Fortunately, there are some simple yet effective steps you can follow to increase your website’s security. In addition to this, you’ll also be able to protect your website’s users from security vulnerabilities – which are especially important if you are dealing with an e-commerce store.

One of the best ways to minimize the risk of your site being hacked is to restrict access to certain users based on their IP address. In this post, we will cover why restricting login attempts is a decision that can save you a lot of trouble and show you how you can limit access to both static and dynamic IP address.

Why Restricting Login Attempts Is Important

The first thing you need to know about internet security is that nothing is really secure on the internet. WordPress is no exception to this and has a few chinks in its armor.

By default, WordPress users are allowed to access the login page easily and enter unlimited combinations of usernames and passwords. Hackers can easily manipulate this to their advantage and, using a brute force attack, they can enter thousands of combinations in hardly a few minutes and gain access to your site.

For this reason, limiting login attempts to your WordPress site’s back end is crucial. There are a few different ways to do this. In the following section, we’ll show you how you can set IP restrictions to the WordPress login page manually by tweaking the .htaccess file to limit access to your WordPress admin page or use plugins like Login LockDown to help you get the job done.

Top Article:  18 Best Sites to Buy Twitch Followers & Live Viewers 2024 (Instant, Monthly, Cheap)

How to Set IP Restrictions to the WordPress Login Page

You can fortify your website against hackers by following a simple procedure that limits access to your WordPress website’s login page.

Before You Begin

Since you’ll be messing around with core files, we recommended that you create a full backup of your WordPress site in case things don’t go as planned.

There are two ways to do this. You can sign up for a site maintenance service and let them manage backups for you. The second method is to install a backup plugin from the WordPress Plugin Directory.

IP Address and .htaccess Configuration File

The next step is to find the .htaccess file by logging into your host’s cPanel and open it in the default text editor. If, for some reason, you do not have the .htaccess file then you will have to create one yourself.

To make sure you don’t make any unnecessary changes to your existing WordPress file, copy and paste the code in the tutorial section at the very top of the .htaccess file.

Option 1: Set Restrictions on Static IP Addresses

If you have a static IP, or you are using a limited number of machines to log in to your website, then the best course of action is to set a restriction on selected IP addresses only.

The benefit of creating a list of secure IP addresses is that it can be used to create a whitelist of IP addresses that can log in to the site. This prevents users from unidentified IP addresses from breaking into your WordPress website. Let’s dive in the tutorial.

Step 1: Open your site’s .htaccess file in the default text editor.

Step 2: Add the following lines of code to the top of the .htaccess file:

RewriteEngine on

RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$

RewriteCond %{REMOTE_ADDR} !^12\.345\.678\.90

RewriteCond %{REMOTE_ADDR} !^IP Address InsertTwo$

RewriteCond %{REMOTE_ADDR} !^IP Address InsertThree$

RewriteRule ^(.*)$ - [R=403,L]

Step 3: Click the Save button to save changes made to the .htaccess file.

Be sure to edit the IP addresses in the fourth and the fifth lines of the code and replace them with the IP addresses that you want to allow access to your WordPress website’s login page.

Top Article:  How to Optimize Your LinkedIn Profile & Presence

More than three IP addresses can also be allowed the access your website login. For that, all you have to do is copy and paste the fourth line and add in the IP address. Likewise, if you want to limit it to one or two IP addresses you can do that by removing the fifth line from the code.

Option 2: Set Restrictions on Dynamic IP Addresses

In some cases, it’s necessary to allow access to multiple users even if the IP addresses of these users can not be known. This can be either because they have dynamic IPs or because they use multiple devices and networks to login to your WordPress site.

Whether you have multiple users contributing to your site or are getting maintenance services from an online service provider, you will need to grant access to the users who have dynamic IP addresses. Here’s how:

Step 1: Open your site’s .htaccess file in the default text editor.

Step 2: Add the following lines of code to the top of the .htaccess file:

RewriteEngine on


 RewriteCond %{HTTP_REFERER} !^http://(.*)? [NC]

 RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]

RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$

RewriteRule ^(.*)$ - [F]

Step 3: Click the Save button to save changes made to the .htaccess file.

To modify the code according to your WordPress website, all you need to do is change to your WordPress website’s URL. This code limits access to hackers and only allows your site’s users to internally access the login page.


Securing your WordPress website from potential security attacks is important and the sooner you start the better it is. Setting IP restrictions on your WordPress website is a quick fix that goes a long ways to protect your site from hackers. Hopefully, you’re in a good position now to take things further yourself.

Do you have any questions about how to set IP restrictions to the WordPress login page? Let us know in the comments section below.

Charlie has been building WordPress themes, reviewing web hosts and utilizing social media since their respective inceptions.

Leave a Reply