How to Use .htaccess to Block an IP Address From the WordPress Login Page
.htaccess (hypertext access) is a configuration file used to add or change features on websites hosted using Apache Web Server, a free and open-source web server software. The .htaccess file allows you to block a specific IP address from accessing your WordPress login page, among many other features.
Depending on your needs and preferences, you may want to use this file to ensure only your IP address and the ones your other admins use to manage your site can log in to your admin dashboard.
If that’s the case, keep reading to learn how to access the .htaccess file and add the commands necessary to secure your login page.
Key Takeaways
- You can use the .htaccess file to add commands that allow you to block all IP addresses except for a few authorized ones from accessing your login page.
- You can access the .htaccess file via FTP, a hosting control panel like cPanel, or the Yoast SEO plugin.
Why Block IP Addresses From the WordPress Login With the .htaccess File?
The WordPress login page, usually located at https://wcanvas.com/wp-login.php, is where you access the admin dashboard. However, by default, the admin dashboard allows any user with your password to access it from any IP address.
This gives you a lot of flexibility to log in from anywhere, but it could potentially allow someone with your password to enter from anywhere in the world, too.
As you may know, IP addresses are similar to digital street addresses that identify a device’s location. If you want to secure your login page site, you may want to limit the IP addresses that can access it to only your IP address and the addresses of your closest collaborators.
Blocking all IP addresses except for one or a handful of authorized addresses ensures that only trusted devices can access your site.
It means that anyone trying to break into your site with an IP address outside the authorized range will be met with a 403 Forbidden error, protecting your site from brute force attacks and other types of hacking attempts.
3 Methods to Block an IP Address From the WordPress Login With the .htaccess File
Now that we know why you may want to block access to your admin with the .htaccess file, let’s explore the various methods for accessing this file and blocking any unauthorized IP from the login page.
Note: Remember that the .htaccess file is only available on servers that use the Apache Web Server software. If your site is hosted on an Nginx server or another type of server, .htaccess will likely be unavailable.
Method #1: Access the .htaccess File With an FTP Client
The first method to access your .htaccess file and block IP addresses is using a File Transfer Protocol (FTP) client like FileZilla to access your web server. FileZilla is free to use and you can download it from the official website.
After installing it, open the application and input the host, username, password, and port. Your hosting provider should have your FTP information. Contact them or browse your hosting account’s settings to get it.
Once you connect, you will see your server’s folders.
Navigate to your site’s public_html folder (sometimes named simply public or /). You will see the .htaccess file among the various loose files and the 3 WordPress core folders (wp-admin, wp-content, wp-includes).
Right-click it and select View/Edit.
Your operating system will open it with the default text editor.
Now it’s time to add the commands that will block all IP addresses from accessing your login page, except for a handful of authorized ones. Add the following configuration code at the top of the file, right below the first few comment lines.
<Files wp-login.php>
order deny,allow
Deny from all
# Allow your IP address
allow from xx.xx.xx.xx
# Allow the IP address of other admins
allow from xx.xx.xx.xx
</Files>This code blocks all IP addresses from accessing your login page, except the ones on the allow from statements.
Remember to substitute xx.xx.xx.xx with your actual IP address and those of your other admins, if you have them. To know your IP address, use a tool like What Is My IP Address and input the IP address the tool returns.
Like this:
Save the changes and close the file.
After saving your changes, any user who attempts to access your login page from an address outside the authorized IP range will get a 403 Forbidden error.
Method #2: Access the .htaccess File With Your Hosting Control Panel
If your hosting provider has a control panel software like cPanel, you can repeat the process of the first method, as the steps are essentially the same.
If your provider uses cPanel, access it via your-domain.com/cpanel. Log in to your cPanel account and go to File Manager from the main dashboard.
Then, go to the directory that leads to your installation path. It’ll usually be public_html, but it may be different for you.
Once you access it, you should see the .htaccess file among the various loose files and the 3 core WordPress folders (wp-admin, wp-content, and wp-includes).
Right-click it and select View/Edit, then add the following configuration code below the first few lines of comments.
<Files wp-login.php>
order deny,allow
Deny from all
# Allow your IP address
allow from xx.xx.xx.xx
# Allow the IP address of other admins
allow from xx.xx.xx.xx
</Files>This code blocks all IP addresses from accessing your login page, except the ones on the allow from statements. Substitute xx.xx.xx.xx with your actual IP address and those of your other admins, if you have them.
Now, your login page will block access attempts from any IP address outside the authorized range you just established.
Method #3: Access the .htaccess File With Yoast SEO
If you already have Yoast SEO installed, this is the easiest way to modify your .htaccess file because the plugin has a feature that allows you to quickly access and edit it.
Go to Yoast > Tools from the dashboard.
On the Tools screen, scroll down until you see the File Editor link and click on it.
Now scroll down until you see a text box labeled .htaccess file.
Add the following configuration code at the top of the file, after the first few lines of comments.
<Files wp-login.php>
order deny,allow
Deny from all
# Allow your IP address
allow from xx.xx.xx.xx
# Allow the IP address of other admins
allow from xx.xx.xx.xx
</Files>Remember to use a tool like What Is My IP Address to check your IP address and ask your collaborators to share theirs so you can add them to the access list.
Your .htaccess file may look something like this after you edit it:
After making your edits, scroll down and click the Save changes to .htaccess button.
After saving your changes, any user who attempts to access your login page from an address outside the authorized IP range will get a 403 Forbidden error.
Use the .htaccess File to Block IP Addresses From the WordPress Login Page
Now you know how to use the .htaccess file to block IP addresses from the WordPress login page. It all comes down to knowing how to access it and which commands to add to it.
In this article, we provided various methods for accessing this configuration file and allowing only your IP address and those of your other admins, if you have them. Hopefully, you can use this information to add another layer of protection to your site.
If you found this post useful, read our blog and developer resources for more insights and guides!