• Sun. Oct 17th, 2021

Simple Htaccess Tweak – Protecting Your WP-Login Access By IP

We take WordPress Security seriously, and so should you.

Recently we can across this nice little write up over at WPBeginner.com, and felt that this is just the kind of posts we love to see. (Original Article)

When it comes to securing your website, particularly with WordPress, one of the first things you should consider is “exactly who” needs to access to your login panel.

Security plugins like Better WP security will work to hide the login access by changing the URL location, however this is not entirely secure as this page can be referenced in other manners. Not to mention some caching plugins may inadvertently cache the file when accessed by the admin.

The hard part is running multiple authors on a blog. In this case you may need to keep the access restrictions to a minimum and shoot for options like password enforcement, non-common usernames and login restrictions.

If however you are a single author / admin and you would like to restrict access to sensitive pages, consider using this short piece of htaccess code.


<Files wp-login.php>
order deny,allow
Deny from all

# whitelist IP address needing access
allow from xx.xxx.xx.xx
allow from xx.xxx.xx.xx


This is simple enough htaccess code. Which can be added to your htaccess file within a few moments. Make sure you make backup of any files you change before doing so.

This same format can be used for other files you wish to restrict, such as personal downloads, PDF files, or other WordPress pages.

When entering your IP address to whitelist, make sure you know if your IP address will change. Many ISP;s have dynamic IP addresses. You might turn off your computer and wonder why you cannot log back in tomorrow. If this is the case, simple recheck your IP Address, (we use WhatsMyIp.Org) and edit your htaccess file in your CPanel File Manager (or FTP).

Also, note you may use blocks of addresses should you already know what to expect. For instance, you might be at IP address:


But if your service provider moves you around frequently but within the same first three octets, consider putting your IP address in as this:


By leaving off the last octet the htaccess file will let any valid ip within the range of 123.123.456.1 to 123.123.456.255.

This will allow for some flexibility should your access ip address changes frequently. If they move you to different blocks, such as, make sure to simply add another line with your second IP Address ranges. If you travel alot, just enter IP Addresses as needed for your temporary or semi-permanent access points when traveling. These can always be removed later.

Doing this simple htaccess hack can make the difference between you access your login page and hundred if not thousands of attacks hitting your login page. Personally, we like to keep login access to those people we provide it to directly. But that’s just us being security nuts.

Derek Wood

Derek is a Online Web Professional. He works with clients and customers in order to implement Web-Based solutions for businesses. These include websites, SEO, marketing, and company branding. His own company, Shadow Dragon Unlimited has been providing these services to local businesses in his Western Massachusetts area and online since 2003.