How to restrict access to wp-admin or wp-login and allow specific IP

How to restrict access to wp-admin or wp-login and allow specific IP

Welcome to our blog on how to block access to wp-admin & wp-login.php and whitelist only specific IPs to prevent unwanted access. In this post, we will guide you through the steps to set up this security measure on your WordPress site. 

If you wish to use HTTP authentication instead of IP address restriction, then you can follow our blog here : How to restrict access to wp-admin using HTTP authentication(2FA) (linuxandruncloud.blogspot.com)

Introduction

 In today's digital age, website security is of utmost importance. With the increasing number of cyber attacks, it is crucial to protect your WordPress website from unauthorized access. One way to do this is by restricting access to the wp-admin and wp-login pages. These pages are the gateways to your website's backend and control panel, and securing them is essential to ensure the security of your website. By limiting access to these pages to specific IP addresses, you can ensure that only authorized users have access to your website's backend.

Additionally, restricting access to the wp-admin and wp-login pages can also improve the performance of your website by reducing the amount of unwanted traffic and bot requests. This, in turn, can reduce the load on your server and improve the overall user experience for your visitors.

In this guide, we will walk you through the process of restricting access to the wp-admin and wp-login pages and allowing access only to specific IP addresses. Whether you are a website owner, administrator, or developer, this guide will provide you with the necessary steps to secure your WordPress website. From creating a backup of your website to implementing the restrictions, we will cover all the essential steps in a simple and straightforward manner.

Step 1

 As you know RunCloud do provide a interface to add custom Nginx configurations so all you go to do is simply add the following configuration under 'location.main-before' type. You can find it under RunCloud Account >> Your server >> Web application >> Nginx Config option.

Here just replace your IP instead of  '10.10.20.30' and replace app-renner.sock with your web application name.

 

location ~ ^/(wp-admin|wp-login\.php) {
   
   allow 10.10.20.30;
   deny all;
   location ~ \.php {
    include                      fastcgi_params;
    fastcgi_param                SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
    fastcgi_param                DOCUMENT_ROOT $realpath_root;
    fastcgi_pass                 unix:/var/run/app-renner.sock;
    }
  }

If you wish to implement these through Apache or Openlitespeed then you can add following code to your .htaccess code.

RewriteCond %{REMOTE_ADDR} !^10\.10\.20\.30
RewriteRule ^wp-admin/.*$ - [F,L]

Step 2

Now, we need to verify it's working as expected. If it's working fine, we will get 403 error if we tried to access wp-admin or wp-login.php from other IP's. Please see the screenshot below

Conclusion

By implementing these security measures, you can help protect your WordPress site from unwanted access and potential brute force attacks. As always, it's important to regularly update your site's software and use strong, unique passwords to further enhance your site's security.