When it comes to WordPress security, you need to pay attention to various methods to stop hackers and ill-intentioned users from damaging your site. These attackers will harm not only the admin areas but also the content and media files.
Protecting admin pages means securing your own data as well as user information. You must always make sure hackers aren’t able to break into your site, steal data, and exhibit bad behavior. If this happens, it might result in poor user experience which impacts your brand reputation negatively.
There are multiple tools and methods allowing you to prevent malicious attacks on your WordPress site. Some enable user role restriction while some others simplify the protection process only with a password. However, hackers will still try brute force attacks to crack the door to your site.
Need a more secure solution? So, sit back, relax, and let’s dig into restricting access to your WordPress site by IP addresses, both from the backend (admin pages) and the frontend (files and content).
Determine the allowed IPs
Even if you plan to block hackers and unwelcome users from your site’s backend or frontend, firstly, you need to identify which IP addresses should have access.
The first allowed IP address should be yours. You can deny all addresses but your own. Simply type “What is my IP?” on Google and you can get your static IP right away.
In case you work from home, it’s hard to determine and manage your IPs. It’s because these IP addresses are dynamic ones and can be changed frequently. You have to go back and modify the admin IP restriction settings again whenever the IP is changed.
Restrict WordPress Admin Access to Specific IPs Using .Htaccess File
The .htaccess file comes as a powerful website file that controls high-level configurations of your site. It enables you to configure your site without having to edit server files. Take these 3 simple steps to stop WordPress admin access via the .htaccess file.
Step 1: Backup the .htaccess file
Before taking any action on the .htaccess file, you’re required to make a backup to ensure that you can restore everything on your site in case anything goes wrong.
Step 2: Allow access to the WordPress login page from specific IPs
The following instruction guides you on how to grant access to one or multiple IP addresses to your admin area. You’re permitted to edit the file directly in cPanel or use a text editor.
- Create a new .htaccess file
- Insert this code into the wp-admin/.htaccess file
order deny,allow allow from 22.214.171.124 deny from all
- Remember to replace the “126.96.36.199” with your own IP address
- Add new “allow” lines if you want to sanction access for multiple admins
order deny,allow allow from 188.8.131.52 allow from abc.de.fg.hi allow from 184.108.40.206 deny from all
Step 3: Block certain IP addresses from logging into your WordPress site
Similar to authorizing particular IPs to access your WordPress admin page, you can also block a number of Internet Protocol addresses if you find them suspicious.
Malicious bots enter all possible usernames and passwords to your WordPress admin repeatedly. You can recognize their IP addresses and block them easily by checking your log file.
Enter this code to your .htaccess file to ban users from certain IP addresses from opening your admin area
order allow,deny deny from 220.127.116.11 allow from all
It’s possible for you to prevent more than one IP address. Just add other “deny from” lines to the code.
Limit Access to WordPress Files and Content by IP Addresses
Besides the admin area, you should also secure your WordPress content and files. Even though you’ve protected them by user roles, your members might share the login information. As a consequence, unauthorized users are able to view private content without your permission.
It’s highly recommended to block your pages, posts, and media files via IP addresses. As a result, even though users have the shared credential information, they won’t be allowed to open your protected content and files.
Prevent access to private WordPress files by IP addresses
Primarily come as the best WordPress file protection plugin, Prevent Direct Access (PDA) Gold enables you to block private WordPress files by IP addresses too.
When your files are secured, users will no longer be able to access them via original URLs. Instead, you can provide them with private links to open these files. The links will expire after a given time or a number of clicks.
Once providing blacklisted IPs, users from these addresses are unable to see both your file’s original URLs or private links.
To get started using the plugin, follow these steps:
- Download the PDA Gold plugin
- Head to Add New under Plugins
- Click on Upload Plugin and select the zip file you’ve downloaded
- Enter the license key sent to your mailbox and activate the plugin
- Visit your Media Library and protect any of your desired files by clicking on “Configure file protection”. The file is secured now. Anyone opening its original URL will be redirected to a 404 not found page.
- Hit “Auto-generate new link” to create a private link for this file. You can spend specific users this link to view your files
- Go back to the plugin Settings page and move to the IP Restriction tab
- Enter specific IP addresses that can open your file via private download links
In case you have numerous IP addresses to block, the above method will cost more time, and definitely painful. There should be an option of letting you whitelist IP addresses. To expand the plugin functionality, you should install its extension, namely File Access Restriction.
- Download the File Access Restriction extension
- Upload to your WordPress Plugins section and activate the plugin (similar to the steps 2,3,4 above)
- Turn back to the Prevent Direct Access Gold settings page
- Move to the IP Restriction tab
- Scroll down and enter the whitelisted IP addresses who should have access to your private files
- Save your changes
Restrict WordPress pages and post access by IP addresses
While PDA Gold and Access Restriction plugins help you protect WordPress media files, Protect WordPress Pages and Posts turns out to be the easiest and simplest solution to protect your WordPress content.
It proves useful when you don’t want to lock the content with a membership website or even with a password. Instead, you can create a private link and send it to your members only.
To protect your content more effectively via IP addresses, you must integrate it with the File Access Restriction extension.
This guide shows you how to use these 2 plugins to limit access to WordPress pages and posts by IP addresses.
- Download and install Protect WordPress Pages and Posts plugin and File Access Restriction extension (you can reference how to install a plugin in the section above)
- Click the Content Protection icon inserted to your WordPress navigation menu
- Visit the Restriction page
- Enter your desired IP addresses
Ready to Restrict Access to Your WordPress Site by IP Addresses
There is no protection method to 100% secure your WordPress site. Hackers are still finding ways to attack and inject malware to steal your database. Prevention is always better than cure. Limiting access to WordPress sites by specific IP addresses, both from frontend and backend, becomes effective to block unwanted users and harmful bots.
You can add code to your .htaccess file to allow or deny specific IP addresses. Remember to back up this file as well as your site before making any changes there.
Install Prevent Direct Access Gold plugin and its File Access Restriction extension to block certain IPs from accessing your files. If you want to protect WordPress content, simply use the Protect WordPress Pages and Posts plugin along with the File Access Restriction extension.