When searching for ways to secure your WordPress sites, there are so many solutions showing up. Some recommend you to create a membership site for members only while others suggest password protection.
Unfortunately, membership sites won’t matter if your users share their accounts with others to log in. The same thing goes for password-protected content which can be shared across users easily.
In these cases, you should consider restricting users by IP addresses to allow authorized access only.
In this article, we’ll help you clarify how effective IP restriction is, then we’ll show detailed guides on how to block access to your WordPress site based on IPs.
Why Blocking IP Addresses
The main reason for whitelisting certain IP addresses is to prevent unauthorized access and boost your site security. Although your users give their credential information to others, these users won’t be able to log in.
You can also restrict bots from spamming your site. Anytime you find out a strange user leaving spam comments on your posts, banning its account is not enough. That user can easily use another account and keep spamming your site. You should check and block the IP address it comes from to prevent future access.
There are various areas on your WordPress sites that need securing, including the admin page, WooCommerce checkout page, password-protected content, or even the entire site.
Let’s go over their instructions one by one.
Restrict WooCommerce Checkout Pages by IP Addresses
WooCommerce checkout pages are the most attractive target for thieves since they include your customer’s personal information as well as the purchased products. They can steal this private info for bad usage and at the same time take the products without paying anything.
If these are digital or downloadable products, it takes them no more than 3 seconds to download.
To stop this, you need assistance from PDA Gold and its WooCommerce Integration plugin. They help you protect your files and meanwhile setting IP restrictions.
Upon installation and activation, the Prevent Direct Access option will be added to your WordPress admin navigation menu. Just follow these 2 simple steps to protect your WooCommerce checkout pages:
- Head to the Prevent Direct Access section and open the WooCommerce tab
- Enter the number of IP addresses you want to whitelist in the IP Restrictions box
That’s it! Once your customers buy a file on your store successfully, the plugin will capture and save the customer’s IP address automatically. Then, anyone who uses this account to view the checkout page will be blocked right away.
“What if my customers use another device or go to another location to open their checkout?”
It’s simple! You can go to WooCommerce → Orders and enter other IP addresses you want to grant access to that checkout page.
How to Block Password Usage based on IP Addresses
Password-protected pages are also another crucial place to get attacked by thieves. How do you know whether your user shares his password with a relative to view the content? It’s necessary to track the IP of your entering attempt to figure out suspicious ones.
PPWP Pro and its extensions of Statistics and Smart Restriction do a great job at limiting password usage based on IPs. You can assign one password for your private content then allow one usage per IP address.
The plugins will record user information, including their names, IP addresses, the dates they enter the password, and their browser info.
To get started with these plugins, you need to:
- Install and activate PPWP plugin, PPWP Pro plugin, Statistics extension, and Smart Restriction extension
- Go to Smart Restriction under the Password Protect WordPress section
- Enable the option Restrict Password Usage
- Choose Restrict by IP addresses from the drop-down menu
- Select the private content you intend to restrict password usage. Just leave “All pages, posts, and PCTs” if you plan to apply this to all protected content on your site.
Whitelist Certain IP Addresses to the Admin Page
Besides WooCommerce checkout pages and password-protected content, the admin login page is also another sensitive area you need to take into account. Once bad bots have access to this page, they can steal all your important data, including customer details. They even break the entire site down without your notice.
Restricted Site Access comes as a powerful plugin helping you limit your site access to certain users. To achieve that, all you need to do is:
- Install and activate the Restricted Site Access plugin
- Open Settings → Reading in your admin sidebar
- Scroll down to the Unrestricted IP addresses
- Enter the permitted IPs
Save all the changes and you’re done. You can allow only the developers or editors to work on your site now.
Allow IP Addresses to Entire Site with Apache .htaccess
It’s possible for you to allow or deny specific IP addresses to the entire or parts of your site by configuring the .htaccess file.
Firstly, log into your FTP client or cPanel File Manager to find the .htaccess file. Then, make a copy of your current .htaccess to avoid unexpected mistakes while editing it.
After that, enter these code snippets into the file to control the website accessibility. You should replace the example IP address in the below code with your desired one.
order deny,allow deny from all allow from 123.123.123.123
Do you want all people to view your site except some users? Simply adjust the rules in lines 2 and 3. For example:
order deny,allow deny from 123.123.123.123 allow from all
In case you just want to protect the wp-admin page, use these code snippets:
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteRule ^(.*)$ - [R=403,L]
Similarly, you have to replace the example IP 123\.123\.123\.123 with the right address.
Make Use of WordPress IP Address Restriction
We’ve shown you 4 different ways to block suspicious users and spammers from accessing different parts of your WordPress site. These areas consist of the WooCommerce checkout pages, password-protected content, admin areas, and the entire site.
PDA Gold helps restrict access to customers’ checkout pages to prevent account sharing. PPWP Pro and its extensions, on the other hand, assist you in tracking the IPs of users who enter passwords.
You can use the Restricted Site Access plugin to allow specific users to log into the admin page. The last method requires you to edit the .htaccess file to apply IP restriction to the website.
Which of the above methods do you prefer? Share with us in the comment section below.
