Offerte aanvragen
WordPress

How to protect your WordPress back end using IP whitelisting

Thibault Seynaeve
How to protect your WordPress back end using IP whitelisting

To make WordPress more secure, you should start by using a strong password, but that’s not all you need to do. By restricting access to your WordPress back end to specific IP addresses, you can prevent malicious users from even having the chance to guess your password.

Securing your WordPress website is of the utmost importance. Not only for your company’s reputation, but also for your technical SEO. Using a strong password is a good start, but as long as your login page is accessible to everyone, malicious individuals can still try to guess your password.

That is why we are going to use IP whitelisting to restrict access to our back-end (and the login screen in general) to a specific IP address. To do this, use your public IP address (you can find this on a site such as whatismyip.com).

Important considerations

Please note that most users have a dynamic IP address by default, which means that your IP address changes regularly! If you are working with features such as whitelisting, it is therefore advisable to ask your internet service provider for a static IP address. As the number of IP addresses is limited, this is often only available with business subscriptions, and for a fee.

Another important point to bear in mind: this whitelisting restricts all access to the login page. If you have a website where users can also log in (such as an online shop), it’s best to remove the specific rule blocking wp-login.php.

And one final point: it is important not to block admin-ajax.php. This is used by many plugins and themes to ensure your website runs smoothly. If this endpoint is blocked, a lot of features on your website will stop working.

The advantages and disadvantages of IP whitelisting

Using IP whitelisting for your WordPress back-end has several key benefits:

  • You can specify exactly which addresses are allowed access to your WordPress back end. This means that even if someone has your password, they still won’t be able to log in.
  • You are not vulnerable to brute-force attacks, where an attacker tries to guess your password.
  • You reduce the load on your server. Every day, there are a great many bots that specifically search for pages such as wp-login.php in order to carry out automated login attempts. By blocking these pages entirely, you won’t waste server resources on such bot traffic.
  • You don’t need to install an extra plugin for this additional layer of security, as you can configure it via the .htaccess file.

Of course, there are also a few drawbacks to bear in mind:

  • If you whitelist your home IP address, you will only be able to access your WordPress back-end via that address. This means that when you’re out and about, you won’t be able to simply log in to your WordPress back-end via a public hotspot or using mobile data. You’ll first need to set up a VPN connection to your home address. This ensures that you can use the same IP address, even when accessing the site remotely.
  • If you don’t have a fixed IP address, it’s only a matter of time before you’re suddenly assigned a new IP address and find yourself locked out. You’ll then need to whitelist your new IP address.
  • If regular users of your website also use wp-admin (for example, to change their password), they will no longer be able to access it either. This setup is therefore not suitable for every website.

Configuring IP whitelisting via .htaccess

To whitelist the domain, add the following lines to your .htaccess file, just above the standard WordPress rules:

# Whitelisting 
<IfModule mod_rewrite.c>
RewriteEngine On

# Block wp-admin for everyone except your IP
RewriteCond %{REMOTE_ADDR} !^123\.456\.789\.000$
RewriteRule ^wp-admin/? - [F,L]
</IfModule>

# Protect login
<Files "wp-login.php">
    Require ip 123.456.789.000
</Files>

# Allow AJAX
<Files "admin-ajax.php">
    Require all granted
</Files>

And what if you want to whitelist multiple IP addresses? In that case, you can simply add extra rules:

# Whitelisting 
<IfModule mod_rewrite.c>
RewriteEngine On

# Block wp-admin for everyone except these IPs
RewriteCond %{REMOTE_ADDR} !^123\.456\.789\.000$
RewriteCond %{REMOTE_ADDR} !^111\.222\.333\.444$
RewriteCond %{REMOTE_ADDR} !^555\.666\.777\.888$
RewriteRule ^wp-admin/? - [F,L]
</IfModule>

# Protect login
<Files "wp-login.php">
    Require ip 123.456.789.000
    Require ip 111.222.333.444
    Require ip 555.666.777.888
</Files>

# Allow AJAX
<Files "admin-ajax.php">
    Require all granted
</Files>

Hmm, daar ging iets fouts. Probeer het opnieuw aub.
Je werd succesvol ingeschreven, bedankt!

Wil je meer uit jouw website en digitale marketing halen? Meld je snel aan voor mijn gratis nieuwsbrief en ontvang nuttige tips om meer uit je digitale platformen te halen!