Adding a New Layer of Security to your WordPress Installation using .htaccess IP Restrictions
Peace of mind over your WordPress website’s security can become an obsession when online perpetrators abound so much and brutally force their way in so what to do to make yourself a bit less worried?The simple answer:Making sure you,or a select few are the only person(s) able to log in.
While this is may cause management problems(if not,nightmares) on sites that bolster many users or authors, it is an extremely robust yet simple way to achieve high security clearance on your personal websites.
You should do this if:
- You ,or only a few are the only users to log
- You,or the users that log have a Static IP*
*an IP that does not change over time i.e Cable internet
You should not do this if:
- You log on to the website from many locations(unless you add the different IP addresses to our new .htaccess rules)
- Many people,either Authors or Users,log on to the website.(In this case,I recommend plugins)
- You have a Dynamic IP*
.htaccess Permissions Check
We’ll be working with two .htaccess files,one inside the wp-admin folder and the other in the root WordPress installation.The files can sometimes be invisible from Cpanel so the simplest way is to open the File Manager and check the “Display hidden files(.dot file)”.On some hosts,you might not be able to modify the file so check that out first to make sure you can proceed next.
Step 1:Creating a new WordPress Admin .htaccess rule and/or file
Inside your favorite notepad(I use Notepad++ on Windows),create a file called .htaccess and paste the following from the first line;
Order Deny,Allow Deny from all Allow from xx.xx.xx.xx
Where xx.xx.xx.xx is your IP address,Click Here to know yours.
Then Upload it to your ‘wp-admin’ directory.
Note:If you need to add several IP addresses,just add another ;
Allow from xx.xx.xx.xx
Step 2: Modifiying the existing .htaccess in the Root WordPress Installation
Second is to add rules to the WordPress installation’s .htaccess.The file will either already exist or you will need to create it as you did with the other.The contents of the file should include the following rule block;
<Files wp-login.php> Order Deny,Allow Deny from all Allow from xx.xx.xx.xx </Files>
Where again xx.xx.xx.xx is your IP address.
Last Step: Making sure everything works
Last but not least,verify that you still can access the login page and confirm that you can not from another internet connection ,say your old 56k which uses dynamic IP’s or at another location.