Restrict WordPress WP-Admin Directory by IP

WordPress Administrative Tasks as well as the Dashboard for adding posts, pages, themes, plugins, and changing settings are all located inside the /wp-admin directory. Hackers already know this so they can try to use brute force style attacks to guess your password. To help in preventing this, it would be best to limit access to the wp-admin directory so only you (and your writers) can access it. This is only effective if you have a static IP and you sign on to WordPress at the same location. Its very simple to implement as long as you have access to .htaccess files.

Note: This will not work if you have a dynamic IP. You will end up locking yourself and/or your writers out of the Admin area.

  1. Download the .htaccess file from your /wp-admin directory (NOT your root directory). If it doesn’t exist, create one.
  2. Open the file with a text editor like Notepad++. Do not use word processors such as Microsoft Word.
  3. Add the following lines:
    AuthUserFile /dev/null
    AuthGroupFile /dev/null
    AuthName “Example Access Control”
    AuthType Basic
    order deny,allow
    deny from all
    allow from
  4. Replace with your IP Address. Remember, this will only work if you have a static IP and you sign on at the same location or network. You can also have multiple IP addresses. Simply add another “allow from” line.
  5. Save the file.
  6. Upload the new file to /wp-admin (not the root directory)

This is a very effective way to secure your WordPress blogs, however it will only work if you have a static (constant) IP Address. If you have a dynamic IP, there are other options, including Login Lockdown (it wouldn’t hurt to use Login Lockdown even if the above would work for you).

Liked this article? Share it with your friends.

Brian is the co-founder of TechAirlines. He is a developer currently focusing on mobile and web development. He is currently a sophomore at Stony Brook University, majoring in Computer Science.

  • Sam

    Good post. What about file/folder permissions? Can we lock those down any further than default? I’ve noticed a few files be accessed directly by potential hackers. Their IP is always different.

    • Brian Yang

      Make sure the server has something like suPHP installed to ensure that PHP doesn’t run using the server hostname. Your PHP files should generally have permissions of 644 while directories themselves should be 755.

      When the server does not have suPHP or a related module installed, WordPress often gives messages saying that it doesn’t have sufficient permissions to do things because permissions are not 777.

      Most things in WordPress should never require 777.