Protecting your WordPress site from hackers can be rather difficult. In fact, there is no one-solution that guarantees a 100% safe and secure site.

Studies show that tens of thousands of websites are hacked daily. Although securing your own site and the data it holds is top priority, it’s also equally important to keep your visitors’ data safe as well. Sites that don’t take proper security measures tend to face a decrease in traffic over time as they lose their credibility. This statement holds true even more in the case of e-commerce sites.

Having said that, there are measures you can take to decrease the likelihood of your WordPress being hacked by restricting access to certain users. In this article, I’ll present a tutorial to set IP restrictions to your site’s login page.

Let’s get started.

Some Preliminaries

Before you make any sort of changes to your site, it’s best to back it up in case of unexpected results. If you don’t have a plugin that takes regular backups for your site then you can simply make a copy of your .htaccess configuration file. We’ll be adding code to the configuration file in this tutorial.

What is a Static IP Address?

Static IP addresses, as the name suggests, are IP addresses that don’t change. This means that you login to your WordPress site’s admin panel using a single IP address and thus you can add restrictions so other users (with different IP addresses) can’t login.

Those of you who login and manage your site from a single location or a handful of other locations can make use of this tutorial to prevent your site from being hacked. This is a scenario in which the IP address(es) that access your WordPress site remain static.

Let’s get on with the tutorial.

Getting Started

In this section of the tutorial we’ll set up your site to prepare for the changes we’ll be making in the .htaccess configuration file and determining the IP address that you use to login to your WordPress site.

1. Go to Google and type in What’s my IP?
2. You will be redirected to a page that displays the IP address you’re using. Copy and paste it into a .txt file. We’ll need to add this to the code later.
3. Locate your WordPress site’s .htaccess configuration file.
   1. You can find it in the root directory of your website.
   2. If you don’t have an .htaccess configuration file, create it yourself.
4. Login with FTP client or your site’s cPanel and browse your .htaccess configuration file.
5. Open a text editor to edit and add code to the .htaccess configuration file.

Recommendation: You can use the text editor that is integrated into cPanel or any desktop text editor you may have on your machine, like Notepad.

Please make sure you are copy-pasting the code you see in this tutorial at the top of your .htaccess configuration file. This ensures that you don’t make any unnecessary changes to your WordPress site’s existing settings and configurations.

Setting IP Restrictions Using Static IP Address

If you always access your WordPress site from a single location or from a few, known locations then you can follow these steps to set IP restrictions using the static IP address approach. The principle behind this method is that we’ll create a safe list of IP addresses that will have access to your site. You can add IP addresses to this list or remove them later on as necessary.

Basically, everyone on the list can access your site and login to the admin panel.

How To Set IP Restrictions Using Static IP Address

Follow these three simple steps to set IP restrictions using static, known IP addresses to your site’s login page.

1. Open your WordPress site’s .htaccess configuration file through the cPanel text editor (or any other desktop specific text editor).
2. Copy and paste the following code to the top of the .htaccess configuration file (Gist is also available).

RewriteEngine on

RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$

RewriteCond %{REMOTE_ADDR} !^12.345.678.90

RewriteCond %{REMOTE_ADDR} !^IP Address InsertTwo$

RewriteCond %{REMOTE_ADDR} !^IP Address InsertThree$

RewriteRule ^(.*)$ – [R=403,L]

3. Save the changes you’ve made to the .htaccess configuration file.

Editing the Code

To edit the code according to your specific address(es), all you have to do is make changes in line 4 and line 5 (line 9 and line 10 in the Gist) and add the IP addresses that you want to allow to access your WordPress site’s login page. To do this, simply substitute IP Address InsertTwo$ and IP Address InsertThree$ with the IP address you want to grant login address to. The IP address you give should be in the format specified in line 3 (line 8 in the Gist).

Adding / Removing Authorized Users

To allow more than three IP addresses to be able to login to your WordPress site, copy and paste the line that reads RewriteCond %{REMOTE_ADDR} !^IP Address Insert and insert the IP address where it says IP Address Insert$. Similarly, if you’d like to grant access to only one or two, then remove the extra RewriteCond %{REMOTE_ADDR} lines from the code. It’s as easy as that!

Some Final Thoughts

As we mentioned before, there is no one solution that will guarantee that your site won’t be hacked or face any security threat. However, setting IP restrictions to the WordPress login page will definitely protect it from any possible brute force attacks.

Those of you who want to take additional measures to protect your site can read up on these articles:

Top 10 Essential WordPress Security Plugins

Preventing Brute Force Attacks Against WordPress Websites

14 Ways To Prevent Your WordPress Blog From Being Hacked

We hope you found this tutorial to be informative and hope that you can increase your site’s security by restricting IP addresses.

Has your WordPress site ever faced a security threat? What measures do you take to protect your site from security threats? Let us know in the comments section below.