One of the easiest ways to help secure your WordPress installation from unauthorized access is to only allow specific IP addresses to access the admin panel. One of WordPress’ larger security targets is the platform’s inability to set a custom administrative URL, by default all installations are located at /wp-admin. Thankfully we can easily handle this by adding a few lines of code to .htaccess.
FTP onto the server containing the WordPress site and navigate to the website root and then into the wp-admin directory.
{{installation root}}/wp-adminIf a .htaccess file exists in this directory right click on the file and select edit. Otherwise, create a new file and name it “.htaccess”. Once the file is open for editing add the following to the beginning of the file replacing xxx.xxx.xxx.xxx with your IP address:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Admin Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
# whitelist IP address
allow from xxx.xxx.xxx.xxx
</LIMIT>Note: The filename starts with a period (full-stop) and then htaccess all in lower case.
If you would like to whitelist more than one IP address you can simply add more lines of “allow from xxx.xxx.xxx.xxx” as follows:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Admin Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
# whitelist IP address
allow from xxx.xxx.xxx.xxx
allow from xxx.xxx.xxx.xxx
allow from xxx.xxx.xxx.xxx
</LIMIT>
To obtain your public-facing IP address you can simply go to www.google.com and in the search type “what is my IP?” and it will return your current address.
