Protecting your WordPress website from being hacked can be a daunting task.

After all, there’s only so much you can do to minimize the chances of a potential attack.

Even after setting strong usernames and installing multiple security plugins, hackers can break into your site by applying brute force attacks.

Luckily, there are a few simple steps you can take to prevent hackers from forcing their way through your WordPress login page.

One of the best ways to reduce the risk of your site being hacked is to restrict access to a given set of users based on their IP address.

In this post, I’ll show you how you can limit access to both static and dynamic IP addresses for the WordPress login page.

Let’s get cracking!

Why you should limit login attempts

By default, the WordPress core isn’t very secure.

In fact, it allows users to access a website’s login page and enter as many username and password combinations as they’d like.

While manually this may take a lot of time, hackers exploit this security flaw by leveraging scripts that input tens of thousands of combinations in minutes. With this scripting technology, chances are, your website will open up to hackers before you know it.

This makes it all the more important to limit login attempts in WordPress.

For instance, if you set the login attempts to 3, the user accessing your website’s login page will be logged out temporarily after 3 failed attempts. You can also configure to block the IP address that was accessing your website for any amount of time – 5 minutes, 5 days, or even 5 years.

Although this is something you can accomplish through a free plugin like Login LockDown, limiting access to your WordPress admin page by messing with .htaccess configuration file is pretty straight forward – something you should know how to do by hand.

The thing about IP addresses

IP addresses can broadly be categorized as static or dynamic.

When a device is assigned a static IP address, the address does not change. Most devices use dynamic IP addresses, which are assigned by the network when they connect and change over time. – Google

When you sign up for an Internet connection, the Internet Service Provider assigns you either a static or dynamic IP address based on your account type. You can restrict both static IP addresses and dynamic IP addresses from accessing your site’s WordPress login page.

If you (the administrator) have a static IP address and login to your website’s dashboard from home then your IP address will remain the same. If you fit this scenario, then you should follow the static IP address tutorial in the following section.

On the other hand, if you (the administrator) have a dynamic IP address then there’s a chance that it will change from time to time on its own. In such a case it is advisable to follow the dynamic IP address tutorial instead since you’re never really sure when your IP address will change or what it will be next.

Let’s get some basics out of the way

Your WordPress site’s .htaccess configuration file is very important and therefore it is necessary to create a backup of it. In the case that something goes wrong you can always restore the backed up file.

If you haven’t done so already, now would be a great time to sign up for a WordPress site maintenance service that creates and manages backups for you such as VaultPress. If you prefer to take matters into your own hands then you can download a free backup plugin from the WordPress plugin repository.

Now that you’ve created a backup of your .htaccess configuration file it’s time to dive into the tutorial.

IP address and .htaccess configuration file

The very first thing you need to do to set IP restrictions –  whether they are static or dynamic – is your machine’s IP address. If you don’t know what it is then you can check by going to online tools such as

Once you’ve figured that out, you’ll need to locate your WordPress site’s .htaccess configuration file from its root directory. We recommend that you log in with your host’s cPanel and open the .htaccess configuration file with the default text editor. For some reason, if you do not have a .htaccess configuration file then you can create one yourself.

Option 1 – Setting restrictions on static IP addresses

As we mentioned above, if your IP address doesn’t change constantly or you only use a handful of machines to log in to your WordPress website then it’s best to set IP restrictions on the selected few IP addresses.

The principle behind this method is to create a list of safe IP addresses that denote the users that login to your WordPress website. This ensures that only those who need to access it can and those who don’t, won’t.

Step 1: Open your site’s .htaccess configuration file on the default text editor.

Step 2: Add the following code to the top of your .htaccess configuration file:

RewriteEngine on

RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$

RewriteCond %{REMOTE_ADDR} !^12\.345\.678\.90

RewriteCond %{REMOTE_ADDR} !^IP Address InsertTwo$

RewriteCond %{REMOTE_ADDR} !^IP Address InsertThree$

RewriteRule ^(.*)$ - [R=403,L] 

Step 3: Click Save.

In the code given above, replace the IP addresses in line 4 and line 5 with the static IP addresses that you would like to give access to. Keep in mind that format should be in line with the IP address given in line 3.

Similarly, if you’d like to permit access to more than 3 users then simply copy line 4 and add in the IP address.

Option 2 – Setting restrictions on dynamic IP addresses

Sometimes you’ll have to grant access to multiple users, the IP address of whom you might not be sure of.

A scenario like this typically arises when you have a bunch of authors contributing to your site’s blog or if you’ve signed up for a WordPress maintenance service. Whatever the case may be you’ll need to grant access to dynamically changing IP addresses.

Step 1: Open your site’s .htaccess configuration file on the default text editor.

Step 2: Add the following code to the top of your .htaccess configuration file:

Note: be sure to replace your-site’ with your own domain name.

RewriteEngine on


RewriteCond %{HTTP_REFERER} !^http://(.*)?your-site' [NC]

RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]

RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$

RewriteRule ^(.*)$ - [F] 

Step 3: Click Save.

To tailor this code specifically to your WordPress website, all you have to do is replace your-site’ with your WordPress website’s URL. What this code basically does is it limits access to potential hackers who leverage brute force attacks to gain access to your website.

Once you’ve added this code, only visitors who access the login page internally will make it to your-site’

Option 3 – Using a third party firewall

This method isn’t free, but it offers the most protection. Although, it’s typically suited to those with static IP addresses.

A firewall like the one provided by Sucuri would block any access to your WordPress login page, unless the IP address is white listed.

Their Cloudproxy firewall acts as a content delivery network, and as such can speed up your site while protecting against DDoS attacks.

There are a bunch of other features they offer too:

  • Malware removal (should the worst happen)
  • Server side scanning for malware
  • Blacklist monitoring
  • Uptime monitoring
  • WHOIS monitoring


If you are worried about your website being hacked, the sooner you start taking preventive measures the better.

Although there isn’t a one size fits all solution to protecting your WordPress website from potential hackers, setting IP restrictions goes a long way to guarding against brute force attacks.

By granting access to legitimate users you can rest assured that your site will be protected to some extent from malicious attackers.

Posted by Rafay Saeed Ansari

Rafay is an entrepreneur, computer scientist, and professional ghost-writer for several high-traffic websites. He is also the Founder of BloggInc. He provides byline and ghost-writing services for digital and brick-and-mortar businesses with a focus on web development, WordPress, and entrepreneurship.