How to restrict directory access by IP address to your WordPress admin dashboard?

Securing your WordPress website is crucial for protecting your data and maintaining your site's integrity. The admin dashboard (/wp-admin) is the control center of your site, making it a prime target for hackers and malicious bots. One of the most effective ways to bolster your site's security is to restrict access to your admin area based on IP addresses.

This method essentially creates a whitelist, allowing only approved IP addresses to access your login page and admin dashboard. Anyone attempting to access it from an unlisted IP address will be met with an error page.

This guide will walk you through the process of restricting directory access using your site's .htaccess file.

Before You Begin: A Word of Caution

Editing your .htaccess file can cause your site to become inaccessible if not done correctly. Always create a backup of your original .htaccess file before making any changes. If you get locked out of your own site, you can simply restore the original file to regain access.

Step 1: Find Your Public IP Address

To whitelist your own connection, you first need to know your public IP address. Your Internet Service Provider (ISP) assigns this address to identify your computer on the internet.

The easiest way to find your IP address is to type "what is my IP address" into a Google search. The result will be displayed near the top of the page.

Jot this IP address down. If you need to allow access for other team members or from different locations (like your home and office), gather those IP addresses as well.

Note: Many residential internet connections have dynamic IP addresses, meaning they change periodically. If you find yourself locked out after some time, it may be because your IP address has changed. You would need to repeat this process with your new IP. For a more permanent solution, you may need to acquire a static IP from your ISP.

Step 2: Locate Your .htaccess File

The .htaccess file is a powerful configuration file used by Apache web servers, which host the vast majority of WordPress sites. You will find it in the root directory of your WordPress installation—the same folder that contains your wp-config.php file and the wp-admin and wp-content folders.

You can access this file in two primary ways:

1. Using cPanel's File Manager:
   • Log in to your hosting account's cPanel.
   • Navigate to the File Manager.
   • In the top-right corner, click on Settings and ensure that "Show Hidden Files (dotfiles)" is checked. The .htaccess file begins with a dot, which often makes it a hidden file.
   • Navigate to your site's root directory (often public_html or named after your domain).
   • You should now see the .htaccess file. Right-click on it and select Download to create a backup.

2. Using an FTP Client:

   • Connect to your server using an FTP client like FileZilla.
   • Navigate to your WordPress root directory.
   • If you don't see the .htaccess file, check your FTP client's settings to force it to show hidden files. In FileZilla, this is under Server > Force showing hidden files.
   • Download the file to your computer to back it up.

Step 3: Add the IP Restriction Code to .htaccess

Now you're ready to edit the file. You can right-click the file in cPanel's File Manager or your FTP client and select Edit.

Add the following code snippet to the top of your .htaccess file, above any existing WordPress rules (which usually start with # BEGIN WordPress).

To Allow a Single IP Address:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^YOUR_IP_ADDRESS$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>



Replace YOUR_IP_ADDRESS with the actual IP address you found in Step 1. Be careful to escape the dots with a backslash (\.), for example: !^123\.456\.78\.9$

To Allow Multiple IP Addresses:

If you need to grant access to more than one IP address, you can add multiple RewriteCond lines like so:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^FIRST_IP_ADDRESS$
RewriteCond %{REMOTE_ADDR} !^SECOND_IP_ADDRESS$
RewriteCond %{REMOTE_ADDR} !^THIRD_IP_ADDRESS$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>


Simply replace the placeholder IP addresses with the real ones.

What this code does:

• It checks if the request is for the wp-login.php file or the /wp-admin/ directory.
• It then checks if the visitor's IP address is NOT one of the ones you've listed.
• If both conditions are true (it's a sensitive page and the IP is not on the list), it blocks the request with a 403 Forbidden error.

What to Do If You're Locked Out

If you make a mistake and find yourself locked out of your own admin dashboard, don't panic. This is why you made a backup.

1. Return to your File Manager or FTP client.
2. Delete the modified .htaccess file (or rename it to .htaccess_broken).
3. Upload the original, unmodified .htaccess file that you backed up earlier.

This will restore access immediately, and you can try editing the file again.

By taking this simple yet powerful step, you've significantly hardened the security of your WordPress website against common attacks.