WP-Mix

A fresh mix of code snippets and tutorials

Quick Apache/.htaccess Snippet to Secure the WordPress Login Page

For WordPress sites where I am the only person logging in, I like to add the following Apache/.htaccess snippet to allow my IP address only, and deny access to all others. So when anyone tries to access the WP Login Page and they are not not coming from my IP address, they are denied with server 403 Forbidden response. Only the allowed IP addresses are granted access.

Allow only one IP address

To allow only one IP address, add the following to the .htaccess file that is located in the WordPress root directory, which is the same directory that contains the Login script, wp-login.php. If the .htaccess file does not exist, go ahead and add one. Then copy/paste the following code:

<Files wp-login.php>
	<IfModule authz_core_module>
		# server address
		Require ip 123.123.123.000
		# your address
		Require ip 111.222.333.000
	</IfModule>
	<IfModule !authz_core_module>
		Order Deny,Allow
		Deny from all
		# server address
		Allow from 123.123.123.000
		# your address
		Allow from 111.222.333.000
	</IfModule>
</Files>

Notice there are two code blocks (i.e., <IfModule> containers). The first is for Apache versions 2.4+. The second is for older versions of Apache. In each block, replace the example IP addresses with your own. The first IP address in each block is for your server’s address, and the second IP address is for your own, home address. The two addresses should be the same for both code blocks. Note: depending on your server setup, including the server address may not be required; I always include it just in case.

That’s all there is to it: replace the addresses, save changes, and upload to your site. Of course, remember to test well by visiting your Login page from your home IP address, and then also test by visiting from some other IP address, like via VPN or proxy server, which should be denied access.

Important! Some ISPs change or rotate customer’s IP address. So remember to update the list if your address changes.

For more details on how this technique works, check out my tutorial, Access Control for Apache 2.4 (and 2.2).

Bonus: Add more IP addresses

It’s common for people to access their Login page from different IP addresses, like maybe one IP address from home, another from your mobile network, and so forth. So you may want to add more addresses to the allow list. Or maybe you are part of a team where each user has their own unique IP address. Whatever the case, to add more addresses, simply follow the pattern shown here:

<Files wp-login.php>
	<IfModule authz_core_module>
		
		# server
		Require ip 123.123.123.000
		
		# user 1
		Require ip 111.111.111.000
		
		# user 2
		Require ip 222.222.222.000
		
		# etc.
		Require ip 333.333.333.000
		
	</IfModule>
	<IfModule !authz_core_module>
		
		Order Deny,Allow
		Deny from all
		
		# server
		Allow from 123.123.123.000
		
		# user 1
		Allow from 111.111.111.000
		
		# user 2
		Allow from 222.222.222.000
		
		# etc.
		Allow from 333.333.333.000
		
	</IfModule>
</Files>

You can add/allow as many addresses as needed. Just remember to test well before going live.

Important! Some ISPs change or rotate customer’s IP address. So remember to update the list if your address changes.

Learn more

Digging Into WordPressWordPress Themes In DepthWizard’s SQL Recipes for WordPress