Security is an important part of running any type of website. Unfortunately, it’s likely that someone will eventually try to get into your dashboard without your consent. It’s up to you to put up enough defenses so they don’t succeed.
There are plenty of ways to protect your WordPress website. In most cases, you’ll want to focus on securing your login page and dashboard since they’re the most likely targets of attack. With this in mind, this article will teach you how to ‘whitelist’ IP addresses for access to your dashboard. Let’s get to work!
What Whitelisting Is (And Why It’s an Effective Security Measure)
When you whitelist an IP address for access to a specific page, it means no one except computers with that address have entry. As an example, if you’re a one-man band, you can tell WordPress to block access for any IP address that’s not yours, so nobody other than you can get into the dashboard.
‘Blacklisting’, on the other hand, involves blocking specific IP addresses from being able to access a page. It’s just as effective, but not as efficient as whitelisting. After all, it’s easier to whitelist a handful of addresses than to blacklist hundreds of potential attackers. Let’s talk a bit more about the other benefits of whitelisting:
- You have full control over who has access to your pages. We’ve only talked about your dashboard so far, but you can implement this feature for any part of your website.
- Attackers can’t access your dashboard even if they have working credentials. If someone manages to figure out your username and password, they still won’t be able to get into your dashboard without physical access to your computer.
- You can whitelist as many IP addresses as you want. WordPress enables you to add as many addresses as you want to your master list.
In any case, whitelisting IP addresses is often harder to set up if you’re part of a large team. Sometimes you or your teammates might need to get work done from a different computer, which means you’ll need to whitelist more addresses and so on. From a security perspective, it’s a fantastic option, but you need to analyze if it’s viable for your website before implementing it.
How to Whitelist an IP Address For Access to Your WordPress Dashboard (In 2 Steps)
Before you go any further, you should create a backup of your website if you don’t have a recent one available. We’re going to tweak one of WordPress’ core files in the sections below, so you’ll need to make sure you have a ‘get out of jail free’ card in the form of a full backup.
Step #1: Make Sure You (And Your Coworkers) Have a Static IP Address
Not everyone has a static IP address, which can make it impossible to create a whitelist without it becoming a headache. Before you implement this feature, you’ll want to triple-check that everyone on your team has a static IP address (or knows how to set one on their computer).
If someone doesn’t succeed in assigning themselves a static IP address, don’t despair. In some cases, your Internet Service Provider (ISP) will set it up for you. If all else fails, you could use a Virtual Private Network (VPN) service that offers dedicated IPs as a feature.
Keep in mind – most VPN providers will charge you a premium for a dedicated IP, so this option only makes sense if you need such a service for work. If you want to use a VPN with a dedicated IP on a budget, you can always set up your own using Virtual Private Server (VPS) hosting such as Vultr. Then, simply connect to your VPN each time you want to access your website, and you’re all set.
Step #2: Open and Edit Your .htaccess File
In this section, we’re going to set up your whitelist of IP addresses by adding a few lines of code to your WordPress .htaccess file. To get to it, you’ll want to use a File Transfer Protocol (FTP) client, such as FileZilla.
First, log into your website using your FTP credentials and go into your WordPress root folder, which could also be called public_html, www, or your website’s name:
Once you’re in, look around for the .htaccess file and right-click on it. Now select the View/Edit option, which will open the file using your local default text editor. Your .htaccess file should look something the image below. However, some web hosting providers implement tweaks out of the box for their users, so don’t panic if there’s additional code in there:
In any case, don’t make any changes to the code within if you’re not sure what it does. For now, look for the line reading # END WordPress and paste the following snippet right above it:
<IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$ RewriteCond %{REMOTE_ADDR} !^FIRST_IP_ADDRESS$ RewriteCond %{REMOTE_ADDR} !^SECOND_IP_ADDRESS $ RewriteRule ^(.*)$ - [R=403,L] </IfModule>
You’ll notice there are two placeholders in there for IP addresses you can add to your whitelist. Just replace the FIRST_IP_ADDRESS and SECOND_IP_ADDRESS values with the IPs you want to add, and that’s it.
If you want to add more IP addresses, just copy and paste additional lines to the code before the line reading [R=403,L]. This tells WordPress what to do for addresses not on the list. In this case, it returns the 403 Forbidden error.
Adding the Required Code
To secure your website even further, you can tell WordPress to block access both to your dashboard and login page, for addresses not in your whitelist. Here’s the code you’ll need:
<IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR] RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$ RewriteCond %{REMOTE_ADDR} !^FIRST_IP_ADDRESS $ RewriteCond %{REMOTE_ADDR} !^SECOND_IP_ADDRESS $ RewriteRule ^(.*)$ - [R=403,L] </IfModule>
When you’re done adding IP addresses to your whitelist, you can save the changes to your .htaccess file and close it. Now, FileZilla will ask if you want to replace the version on your server with this new one. Say “Yes”, and that’s it – you’ve just took a massive step towards protecting your WordPress website from attackers!
Conclusion
When you whitelist an IP address, you’re telling WordPress to only give that computer access to your dashboard. This means any addresses not on your master list won’t be able to load the dashboard at all. In other words, even if someone succeeds in stealing your credentials, it won’t be enough to get into your website.
The best part is, implementing this feature is rather simple, and consists of two steps:
- Make sure you and your coworkers have static IP addresses.
- Open and edit your .htaccess file.
Do you have any questions about how to whitelist an IP address in WordPress? Let’s talk about them in the comments section below!
Article thumbnail image by Jemastock / shutterstock.com.
This is one of the simplest and effective protection method. I am surprised it is not being promoted more. I have been using for years on all my sites. And when my client does not have a static IP, I change it remotely using FileZilla and by having the client load a whatismyip page.
The only con I have encountered is when you create a password-protected page, or use portal plugins (e.g., WP-Client) the protected page are not visible outside of the IP range specified.
You have to also exclude admin-ajax.php from those rules or some plugins will stop working on the public side.
Great defense, but with one big a disadvantage of this method, you have access to administrate client site only from one place on tje planet (IP you choose). If you are on other place and your client want edit something on his site, he must wait, until you travel to physical place with static IP adress you choose.
Not necessarily, because you can always from any machine enter with Filezilla (or CPanel) to the host, edit the htaccess file again and leave it as before. This is a WordPress level protection (Apache web server), not Linux host protection.
This sounds like a good idea, but only if you have a fixed IP address.
I think the better route is to get a a security plug-in that changes the name of your log-in page, and gives you the opportunity to blacklist or whitelist, if necessary. Also limit the amount of login attempts with wrong password before blocking access for an hour (or whatever time you set).
Not a plug, but one example is WP Cerber.
What happens if my IP service provider happens to change the static IP? Does this then lock you out?
It will, but you can edit the .htaccess file and remove the code or update IP.
Hi John, I recently set up the Cookie-Based Brute Force Login Prevention Feature with the All in One Security plugin, so would I need to add this extra form security? Or do you think what I have would be enough? Cheers!
Hi Rich. We do recommend this additional form of security. Even though a plugin can deliver important security features, implementing whitelisting can further strengthen your site. Hope this helps.