Whitelist IP Addresses in WordPress
One of your most important management responsibilities is keeping your WordPress website secure. Many websites become the subject of arbitrary assaults; if yours is one of them, your website and its data may be in danger. One security recommendation is to learn how to whitelist IP addresses in WordPress to help you prevent this issue.
Only the people you trust will be able to access your dashboard thanks to this feature. Anyone attempting to log in without authorization won’t even be able to view your WordPress login page because it operates at the server level. Additionally, if you don’t mind copying and pasting a few lines of code, it’s not too difficult to implement.
Why WhiteList IP
It’s crucial to remember that, unless it’s only a staging site, you won’t often want to restrict access to your complete website. Instead, you’ll only need to protect your login page and back end.
As you can imagine, this security feature offers a lot of advantages, because:
- Allows you to decide who may view your website. You may protect your website from assaults by limiting access to just particular IP addresses.
- Is superior than putting login security safeguards in place. Consider your login page as a door that many individuals have keys to. When you whitelist IP, you effectively hire a full-time security guard to watch that door and make sure that only those you’ve authorized may enter.
- Is simple to apply. You can make this functionality available if you use WordPress by adding a few lines of code to one of your core files. Even if you’re not a coder, it’s really easy.
Whitelist IP addresses in WordPress might be challenging. If you work on a big team, you’ll need to persuade everyone to give you their IPs, as well as determine how to handle people with dynamic addresses (IPs that change regularly).
Steps to whitelist IP addresses in WordPress
Step 1: Locate your .htaccess file
To make this functionality function correctly, we must make the necessary changes to the .htaccess file. It’s a core WordPress file that talks with your server directly and lets you create “rules.” In this instance, we’re going to instruct it to prevent IPs that aren’t on a list of allowed ones from accessing your dashboard login page.
If you are using cPanel you can use File Manager to edit your file or you can use an FTP client.
Step #2: Whitelist an IP address by editing your .htaccess file
You can see two placeholders for distinct IP addresses (IP ADDRESS ONE and IP ADDRESS TWO) in the example above. The placeholder text should be replaced with the actual IP addresses on as many more lines as you like, one directly underneath the other, and using the same structure. Make sure to leave the “^” and “$” symbols before and after the IP address, though.
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^IP_ADDRESS_ONE$
RewriteCond %{REMOTE_ADDR} !^IP_ADDRESS_TWO$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>This is how it should look
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^10.10.10.10$
RewriteCond %{REMOTE_ADDR} !^123.123.123.123$
RewriteCond %{REMOTE_ADDR} !^1.1.1.1$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>This line should be included at the end of your .htaccess file, after the default rules, to prevent misunderstanding. When you’re finished, save your modifications and have each whitelisted user attempt to log in to ensure that your new security feature is operational. You may simply go back to the file whenever you add or remove team members to make the appropriate additions or deletions.
It’s easy to learn how to whitelist IP addresses in WordPress, and it’s a really effective approach to keep hackers off your website. Remember that if you wish to use this security feature, you’ll need to get the IPs of every one of your co-authors and find out a means to allow those with dynamic addresses to continue working.