How to Restrict WordPress Admin Access by IP Address

How to Restrict WordPress Admin Access by IP Address

If you want to secure your website from unwanted guests or web attackers, what options do you have? One way is to restrict WordPress admin access by IP address. This article will discuss why it is essential and how to do it. Let’s start with the introduction.

An Internet Protocol (IP) address is a number given to each device connected to a computer network that uses the Internet Protocol for communication. Its main functions are identifying the host or network interface and providing the host’s location within the network.

IP addresses are essential for devices to communicate with each other on a network, whether it’s a local network or the global Internet. Two versions of IP addresses are currently in use: IPv4 (32-bit) and IPv6 (128-bit), with IPv4 being the most widely used.

Why You Should Restrict WordPress Admin Access by IP Address?

You might want to restrict WordPress admin access by IP address for various reasons. Below are some of them.

  • Control over access: If you restrict access by IP address, you will get a higher level of control over who can log in to the admin area of your WordPress site. This will help if you have multiple administrators with different locations and devices.
  • Hackers attack: By restricting access to the WordPress admin dashboard to specific IP addresses, you reduce the risk of hackers’ attacks. These attacks involve automated attempts to guess usernames and passwords. So, if the hackers get your username and password, they will still need the correct IP address to proceed.
  • Unauthorized visitors: Only authorized users will get access to your admin area. This provides an extra layer of security beyond just relying on a username and password. Moreover, it will help you control the temporary logins you provide users.

Now you know why you should restrict WordPress admin access by IP address. The next section will show you how to do the task properly.

How to Restrict WordPress Admin Access by IP Address?

There are different methods to restrict WordPress admin access by IP address. The easiest among them is to use a third-party plugin to install this restriction.

We will use the Restricted Site Access plugin to show the procedure. This is a simple plugin with 20,000+ active installations that you can use to protect your site from various threats.

So, let’s begin with the process.

First, go to the WordPress plugin section and install and activate the plugin.

Restricted Site Access WordPress plugin

Now, go to Settings » Reading.

Restrict access by IP address

You will see the option “Restrict site access to visitors who are logged in or allowed by IP address.” This option controls unrestricted IP addresses, site visibility, and restricted visitors. It is selected by default; you can disable it by choosing the other two options above it.

From now on, you will see four options under “Handle restricted visitors.” We will go through them one by one.

  • Send them to the WordPress login screen: Unauthorized visitors will see the login screen for WordPress.
  • Redirect them to a specified web address: This option will send visitors to the URL you add to the system.
  • Show them a simple message: This option will display a web message to visitors. It will inform the users about the restriction.
  • Show them a page: This option will show visitors a message from your site rather than any restriction.

Restrict admin access for unwanted visitors

To get unrestricted access to the site, you can add the IP address using the “Unrestricted IP addresses” option. Enter the IP address and click Add. Once done, click on “Save Changes.”

Suppose you have a team that operates from different locations and needs to give them unrestricted access. In that case, you can manually add a single or range of IP addresses using a subnet prefix.

restrict admin access to added IP Address

How to Change WordPress Page Login URL?

That’s all you need to do to restrict WordPress admin access by IP address. However, your security concerns don’t end here. WordPress doesn’t conceal the login page by default. If a user knows how WordPress handles login URLs, they can locate it. This implies that anyone who obtains your admin account credentials will also have full access to your website. Nevertheless, you can change the WordPress admin URL to protect your website and login page from intrusions.

We will use the plugin WPS Hide Login to help you understand how to change the WordPress page login URL.

First, install and activate the plugin.

WPS Hide Login

Now go to Settings » WPS Hide Login.

Settings for WPS Hide Login

The “Login URL” and “Redirection URL” options are here.

Login and Redirection URL

Change the login URL and click on “Save changes.” From now on, you need to enter the modified login URL to access the website’s backend.

If you have forgotten the new login URL, you can delete the plugin files using an FTP client. Once you have removed the plugin from the website, the login URL will also be removed. Then, you can use the /wp-admin URL to log in to your website.

BONUS: Best WordPress Security Plugins

Since discussing security today, let’s dive deeper into your security solutions. WordPress is a popular and well-known content management system. It is a secure platform but still vulnerable to cyber-attacks.

Plugins are a great way to secure your WordPress site from cyber vulnerabilities. Here are three plugins to help you further secure your sites.

  • Wordfence
  • All-in-One WordPress Security and Firewall
  • Defender

Let’s see what each has to offer.

1. Wordfence Security

Wordfence Security WordPress plugin

If you are on a low budget, Wordfence Security is a good option. This plugin’s best feature is the Web Application Firewall (WAF), which identifies and blocks malicious traffic. This plugin blocks malicious IPs to protect and reduce your site’s load. Wordfence Security enables deep integration with WordPress to protect your site at the endpoint.

You can block requests containing malicious code and content with an Integrated malware scanner. You can also protect your website from brute attacks with limited login attempts. For login security, you will get Two-factor authentication (2FA), the most secure form of a remote system.

With Wordfence Central, you can secure your multiple sites in one place. Moreover, if somebody tries to access your site or breaches your password, you will receive an alert and the location immediately.

Features

  • Identifies and blocks malicious traffic
  • Integrated malware scanner blocks requests
  • Real-time firewall rule and malware signature updates
  • Real-time IP blocklist blocks all requests

Pricing

Wordfence is a freemium plugin. To download it for free, go to the WordPress plugin repository. The premium version costs $119/year.

2. All-in-One WordPress Security

All-in-One WordPress Security (AIOS) is an easy-to-use but top-rated security and firewall WordPress plugin. It offers login security tools that protect your site from bots and brute-force attacks. Configuring a custom URL for the WordPress’ Admin’ login page can hide the login page from bots. If you don’t want a user to stay logged in indefinitely, you can force log out such a user after a considerable time.

You can implement Google reCAPTCHA, Cloudflare Turnstile, and a honeypot to registration pages to prevent spam registrations. You can avoid spam comments that can damage your brand and impact SEO. This plugin lets you quickly implement advanced security measures by editing your .htaccess and wp-config.php files through its interface.

The plugin offers a centralized dashboard to monitor security activity and settings, making managing your site’s security posture easier. It will also send regular updates to address new security threats and vulnerabilities. The plugin offers support through forums and documentation.

Key Features

  • Easy-to-use
  • Automatic protection from security threats
  • Hide login page from bots
  • Robot verification

Pricing

AIOS is a freemium plugin. You can download it for free from the WordPress plugin repository. The premium version costs $70/year for two sites.

3. Defender Security

Defender Security is another WordPress security plugin that offers many security features, such as a firewall, login security, and a malware scanner. Its Security Firewall protects against brute-force attacks by implementing IP blocking, and the malware scanner checks for modifications and unexpected file changes caused by malware.

On the other hand, Two-factor authentication (2FA) improves site security through login attacks such as App verification, brute force, lost device email, Web Authentication, and WooCommerce 2FA. You can also secure your site by enabling IP blocking based on location and country.

Defender plugin Increases security by protecting against compromised passwords and forces users with selected roles to reset their passwords.

Key Features

  • Malware scanner
  • WordPress Security Firewall
  • Two-factor authentication (2FA)
  • Login masking
  • 404 Detection security

Pricing

Defender is a freemium plugin. You can download it for free from the WordPress plugin repository. The premium version costs $15/month for one site.

Conclusion

That’s it, folks, for this article.

In it, we have discussed IP addresses and why it is essential to restrict WordPress admin access by IP address. Restricting WordPress admin access by IP address is an effective way to improve security. Limiting access to only trusted IPs reduces the risk of unauthorized access and potential security breaches. You can increase security by maintaining a backup plan and regularly monitoring IP changes.

Do you know any other method to restrict WordPress admin access by IP address?

Tell us in the comment section below.

You can also check our massive collection of informative articles on WordPress security management, including the ones shared below.