How to Safeguard WordPress with IP curtailment?

WordPress is the most popular CMS used in this techie world. More than 35% of the world’s website runs on WordPress. As a popular publishing platform, it is also considered as a prominent target for hackers and spammers. It is recognized as one of the most user-friendly Content Management System available online, but despite this fact, WordPress is terribly vulnerable to attacks.
Did you know more than 70% of the WordPress websites installations are vulnerable to hacker attacks? Approximately, 170,000 WordPress websites were hacked in 2011. And this is figure is continuously evolving. As a WordPress user, you might be wondering why anyone wants to hack your website, particularly when your website has low traffic? Does the hacker get any monetary benefits? Or s/he steals your clients? Or send some spam emails? Many times, hackers upload a script to the server which sends a spam and blacklists all major ISP’s and email services. This may require an unnecessary time devotion to clean the IP address from blacklists thus resulting in huge money and time investment.
Thus, it is better to be proactive rather than reactive, to begin with WordPress web development and keep your WordPress website secure. Thus, in this post, we shall walk through in detail how to set IP restrictions for the WordPress login page.

The Entry point of WordPress Hackers

WordPress Hackers

It is very significant for WordPress users to understand how do wicked hackers enters the WordPress website. Although there are several ways in which a hacker can break into a WordPress site, the primary techniques are grouped below:
1. 41% hacks via a security vulnerability on their hosting platform.
2. 29% hacks because of the security issue in the WordPress Theme.
3. 22% whacked because of security issues in WordPress Plugins.
4. 8% hacks because they had a weak password.

In the security issues within the hosting platforms, it includes multiple techniques such as using a URL parameter to process an SQL injection. It adds code to the database, which further allow changing data, retrieve data, or delete data. The attacks which are made through WordPress plugin or theme allows hackers to insert an eval base 64 decode code which further allows hackers running a PHP function from your website. This technique gives hackers the authority to access the WordPress website in future, even if you’ve deleted the malicious files.

The Security Threats of WordPress

WordPress Security Threats

1. Unnecessary forced Login Attempts

– Many times hackers attempt several user name and password combinations to log in to access your WordPress website.

2. Acess to WordPress themes & plugins

– Often the WordPress users give access to edit the functionality. This may prove to be a security threat.

3. Login Information Confirmation

– When you log into your WordPress account and forgets your username or enter an incorrect password. WordPress informs the user which part of the login credentials are incorrect, thus making it easy for hackers to identify the incorrect credential.

4. WordPress Global Registration

– It is good that WordPress does not allow to access from all over the world. This option should is not in use as kept as a preventive measure.

5. WordPress Version

– WordPress version can reveal the hackers some -specific vulnerabilities to gain access to your site.

So now that you’re aware of the vulnerabilities for WordPress security, here is a security step to take before altering your site’s files.

How to get started

Here are the two methods to limit the access to the WordPress dashboard:
1. Single or Multiple Static IP Addresses: This option is valid when there is no change in IP address. It is static. It is so because user edits the WordPress website from the desktop or other locations.
2. Multiple Dynamic IP Addresses: IP address changes according to your location. So if your site is accessed from several locations, you may either use a mobile device to edit your website.

Accessing Your .htaccess File

The .htaccess is a configuration file which is used on the web server and runs the Apache Web Server software. When a .htaccess is placed in a directory, then its file is discovered and executed by the Apache Web Server software. If you do not have, you can create a new one.
These .htaccess files are utilized for the configuration of the Apache Web Server software. It helps to either enable or disable added functionality and peculiarities.
Now let us see the two options for limiting IP address.

Single or Multiple Static IP Addresses

If your WordPress website is solely your responsibility, then there are few people who do or do not change your IP address. You’ll be able to add one or more IP addresses to the safe list of users who can access the login page for your site.
You may add the following .htaccess file. Ensure to save the file before closing the window.

ErrorDocument 401 /path-to-your-site/index.php?error=404
ErrorDocument 403 /path-to-your-site/index.php?error=404

<IfModule mod_rewrite.c>
 RewriteEngine on
 RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
 RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
 RewriteCond %{REMOTE_ADDR} !^IP Address One$
 RewriteCond %{REMOTE_ADDR} !^IP Address Two$
 RewriteCond %{REMOTE_ADDR} !^IP Address Three$
 RewriteRule ^(.*)$ - [R=403,L]

You may edit the line 8 with 10. It will help to add IP address which requires access to the admin dashboard and login page replacing IP address on line one, two or three. If any two of these lines are removed, you need to add one IP address. You may also copy or paste them to add more in the list.
Now when any unauthorized person accesses your content, they’ll see your current theme’s 404.php file.

Multiple Users and Dynamic IP Addresses

If your WordPres website requires grant login access from multiple locations, because you have multiple users who require access to the dashboard, then this is the best recommended solution for you.

Enter the following code in your .htaccess file:

ErrorDocument 401 /path-to-your-site/index.php?error=404
ErrorDocument 403 /path-to-your-site/index.php?error=404

<IfModule mod_rewrite.c>
 RewriteEngine on
 RewriteCond %{HTTP_REFERER} !^http://(.*)? [NC]
 RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
 RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
 RewriteRule ^(.*)$ - [F]

The only thing you need to do is replace with your site’s URL. One is also required to update the file path in the first two lines. Here the code also includes the extra 404 error page code. Hackers usually attack the website by accessing the login page and admin area using brute force attacks with bots. This coding restricts the hackers, at the same time allow access to all the visitors who visit the page via the actual website.


There is certainly more than one solution to ensure the protection of your WordPress website from hackers. With the growth of WordPress Developmemt companies, there is a great chance for hackers to attack your website. Setting IP restriction will set up a long way to protect your website from brute force attacks.

Written by Ana Elison

Ana Elison is a Senior Wordpress Developer at Designs2HTML - PSD to WordPress service provider company with global reach. She has a deep love for creativity and enjoys sharing her passion with various techniques on the web.