How to Restrict IP Addresses to Login WordPress Admin?

Updated on

Block IP Addresses WordPress Admin

 How to Block IP Addresses in WordPress to Stop Spam

Ever received unwanted comments from your site’s visitors?

Want to block the IP address for username login in WordPress?

Want to Automatically blacklist range of IP addresses?

If you’ve answered yes to either of these questions, then chances are good that unauthorized users may be trying to gain access to your site.

Are you worried about the security of your WordPress site? Want to secure the WP Administrative panel? 

You need to consider Blocking IP Addresses in WordPress. Restricting admin access by IP Address is an effective method to secure your WordPress admin panel

In this article, we’ll tell you how to restrict/block specific IP Addresses to Login in WordPress Dashboard, WordPress plugins to block ip addresses & manual way to block ip address access to WP admin

Securing your website is critical, as it holds both your personal information and any other data that users share with you. That’s why dealing with these invaders should be a top priority. One easy way to get rid of them is by blocking any IP addresses that seem malicious.

You’ll learn how to restrict IP addresses and enhance your website’s security in this article. Let’s dive in.

Why Restrict IP Addresses in WordPress?

Spammers or hackers may be trying to attack your website. Need to blacklist IP addresses in WordPress to prevent spam or malicious users? By blacklisting their IP addresses, you can keep them out. Here are 4 reasons why you may want to block them:

1. Too much spam

Commenters may be contributing regularly to your site’s spam. You’ll often discover some shady advertisements in your comment section. By blocking these dubious visitors, you’ll be able to:

2. Annoying bots

Some users may not be spamming per se but they may be interacting like bots. Their presence can present a lot of challenges, especially if you’ve set up a user forum. Restricting suspicious IPs stops these bots in their tracks.

3. Unauthorized visitors

You may be limiting your site’s access to only authorized visitors who aren’t required to create individual accounts. You can fend off unwanted users by restricting IPs to only those users in specific regions. Unfortunately though, if they’re using SSL proxies, it won’t be easy to identify them.

Also Read: How To Change Your WordPress Username

4. Hacker attacks

A staggering 90% of hacked websites are built on WordPress, a Sucuri study states. Hackers primarily use two ways to gain illegal entry to your site: DDoS and brute force. Identifying shady IPs and restricting them helps obstruct these attackers and is one of the advanced tips you can use to secure your wordpress site from hacking

Also ReadWebsite Security For Small Business – A Big Concern in 2021

Identifying Problematic IP Addresses

You can find IP addresses you want to block using these two ways:

Comments

First, you need to have an idea of which IPs are causing issues before you can blacklist them. If you discover they’re from spammy or dodgy commenters, then the blacklisting process becomes easy. 

WordPress stores the address of all your site’s commenters. To get their address, visit the dashboard then navigate to the ‘’Comments’’ section. 

The ‘’Author’’ section will display the IPs of every commenter, right below usernames and email addresses. Write down the IPs you want to shut out – you’ll key them into specific fields later.

Raw Access Logs

Finding IP addresses, when your site is facing DDOS attacks, can be challenging. In such cases, you can obtain IPs by looking into your access log.

You have to log in to cPanel. Click on ‘log’ and scroll to ‘’Raw Access Logs’’. Selecting this section will lead you to the access logs section. Here, you have to choose your domain name, and then download your access logs file. 

Downloaded access log files are normally in .gz archive formats. To use the file, you have to extract it. Some computers don’t have the programs necessary to open such files. If this is the case, then you need to install a program that supports such files. Two popular apps for extracting folders are WinZip and 7-Zip; you can download them on any Windows device. 

Your access log folder, which you’ll find inside the archive, can only be accessible via a Notepad or any similar apps. The folder gives you access to all raw data of requests sent to your site. IP addresses making these requests appear first on the line, so they’re very easy to get hold of. 

how to restrict access login in wordpress

If you’re not careful, you can restrict the IP addresses of search engines and other normal users. To capture the right IPs, you have to first record all IPs that seem suspicious. You can then paste them into any IP lookup tool so that you can analyze them further. 

Receiving too many requests from a single address may be an obvious sign that you’re dealing with a dubious IP. Note down such addresses in a different text file, as they may be up to no good.

Restrict IP Addresses in WordPress – Manually & Plugins

You can restrict IP addresses using two methods:

  • Manually block them from the “Comment Blacklist’’ section
  • Using plugins

We’ll look into both methods below. These are the best way to block IP addresses in wordpress to invaders and DDoS attackers

Blacklisting WordPress Commenters

To blacklist IP addresses and prevent them from leaving comments, visit the “Settings” column. Scroll to ‘’Discussion”’ and click on “Comment Blacklist.” Paste all the IPs you want to keep out. 

restrict wordpress admin access by ip address

 

Block ip addresses Using  .htaccess

To manually block IP addresses, you have to use the .htaccess file. When blacklisting IPs using this file, you’ll use varying methods, depending on the IP address type. These types include:

  • Static IP address

If you have a single PC in your home that you always use to access your site, then you have a static IP address. This blacklisting method may be perfect for you if you barely ever change your address or if your site is only run by you and maybe a few people. You’ll need to include one or multiple addresses of people who can get into your site’s login page. 

The following code will help you add a few IP addresses to your safe list, so you can keep away any unauthorized IPs. Make sure you click ‘Save’ before closing the file. 

wordpress restrict admin access by ip plugin

  • Dynamic IP Addresses

If you’re regularly accessing your site from different locations, then this solution may work for you. You need to enter this code into your file:

access wordpress admin using ip address

Remove the ‘’your-site.com’’ part and insert your website’s URL, then update the path in the first and second lines. The code also comes with an error page that prevents your site from falling into the trap of a redirect loop. 

Malicious users may try to gain access to your login page illegally with brute force attacks. The above code will lock these hackers out while giving access to legit visitors who come to the page using your actual site. These legit users won’t be able to tell the difference. 

With a security plugin that shows you unsuccessful login attempts, you can see the difference this code makes with dynamic IP addresses.

To allow access to the WordPress admin dashboard to more than one IP address,

add the code as below,

order deny,allow
# Replace the below 117.168.1.10, 117.168.119.11 with the IP addresses you want to allow #
allow from 117.168.1.10
allow from 117.168.119.11
deny from all

Apart from this, you can take help from following WordPress plugins to Ban IP Addresses to Login on WordPress Dashboard.

To allow only your IP to access the dashboard.

Write the following code to your .htaccess file.  If you do not have an .htaccess file in your wp-admin directory, then simply create a new one.

order deny,allow
# Replace the below 117.168.1.10 with your IP address #
allow from 117.168.1.10
deny from all

Above code will allow only IP address mentioned above to access the WordPress admin dashboard.

Also ReadWordPress .htaccess hacked – Cleanup & Prevent .htaccess Attack

IP Blocker on Cpanel to Block IP addresses

This method is the best way to block IP addresses of site invaders and DDoS attackers.

Firstly, login to Cpanel of your site, scroll to the “Metrics” menu and select “Raw Access”.

block IP addresses of site cpanel wordpress

wordpress block ip address from login

Each logged visit includes your site visitor’s IP addresses as well as the time and date of each visit. All you need to do is click on the link to download all the information. You can also extract the IP address using any zip folder application like Express Zip or WinZip. You can then view the information by using any modern text editors like Notepad, Notepad++.

Be sure to look up the extracted IP addresses through an IP lookup tool such as this one by mxtoolsbox. This will help you identify the IP addresses that you would want to block traffic from.

Next, scroll to “Security” section of your cpanel, and click on IP Blocker.

  1. Type into the text-box the IP address you wish to block. You can type in a range of IP addresses you wish to deny access to your site.
  2. Click Add.

ip blocker to block wordpress ip address

 How to Block IP Addresses in WordPress

These IP addresses will surely no longer be able to access your site.

Block IP Addresses WordPress Plugins

Security plugins help automate the process of restricting IPs – you don’t need to look for hackers manually. Some of the most popular blocking plugins include:

WP Ban

Similar to the Simple-IP ban, WP-ban users can block any specific IP or an IP range. The plugin displays a ban message to any of the banned users who try to visit your site. In addition to wildcard matching, it also allows you to set aside specific addresses to prevent them from getting a ban. Whenever these excluded addresses visit your site, Wp-ban records stats on the number of times they visit your website. 

To use the plugin:

  • First, install and activate it normally 
  • Go to ‘’Settings”
  • Click the ‘’Ban” option. You’ll get a page showing banned IPs and IP ranges 
  • Customize the page, adding or removing certain IP addresses 
  • Save the changes

wordpress login restrictionSimple IP ban

A free plugin, Simple IP ban does as its name suggests: blocks IP addresses through a simple process. To use the plugin, first, download it just as you would any other. Then head over to “Settings.” Click ‘’Simple IP ban” and configure the plugin

At the ‘’Settings’’ section you’ll be able to:

  • Ward off bots by blocking some User Agents
  • Restrict a specific IP (you can keep out a service provider)
  • Restrict an IP Range

Also, you can establish a redirect URL and prevent logged-in users from being blacklisted.

Also ReadHow To Delete Invisible Admin User In WordPress?

Limit Login Attempts

WordPress typically allows all users to access your site, granting unlimited login attempts by leveraging special cookies. This unlimited access leaves your site open to brute-force attacks, as your passwords and hashes can easily be hacked. 

Login Attempts blacklists IP addresses, preventing users from making any more login attempts after they’ve surpassed the designated number of retries allowed. In essence, the plugin makes it difficult for dubious users to execute a brute-force attack. 

Some of the plugin’s features include:

  • Caps on retry login attempts for every IP. You can change this limit to a number that suits your site. 
  • Allows you to limit attempts using auth cookies. 
  • Informs visitors about the remaining number of allowed retries, or how much time they have until it blocks them out. 
  • Allows for optional notifications
  • Enables website owners to whitelist IP addresses with the help of a filter.

To use the plugin:

  • First, install the plugin from the WordPress dashboard. 
  • Go to “Settings” and click on the plugin’s menu. This window will pop up. 
  • restrict access to wordpress admin
  • You can then set the attempts limit, the lockout time, and many other options.

Also ReadHow to Monitor User Activity in WordPress?

Simple Security

The simple security plugin allows you to track logins and unsuccessful login attempts on your dashboard. By upgrading to its premium version, you can get features that include:

  • Regular email alerts that you can configure when certain conditions are met
  • Optional alerts when the plugin blocks a new IP address. 
  • Optional alert after every successful login attempt.
  • Optional alert to your email every time a user’s login attempt fails
  • Lifetime Priority Support

Here’s how you can use the plugin:

  • Install the plugin, just like you would other WordPress plugins
  • Go to Settings and click the plugin’s menu option. 
  • Make the changes to what suits you best. Choose the alert types you want to get. 

Also ReadHow To Setup WordPress Login Two-Factor Authentication (2FA)

IP Blacklist Cloud

This plugin enables you to block any suspicious IP addresses that visit your website. It submits your site details to their database, allowing the remaining users to view the sites that have blacklisted them and read comments. The plugin features new functionality that enables you to prevent visitors from spamming your site. 

How the plugin works

  • Visit “Blacklist” and scroll until you see the option to include IP addresses in the Blacklist section. You can then insert the IP you want to restrict. This procedure allows you to keep out IP addresses manually. 

restrict page access wordpress

  • You can navigate to the “Comments” section of the plugin to get rid of any spammers. You can then get the IP details of these spam commenters by visiting IP-finder.me. Visitors whose IPs have been blocked will not get access to any of your site’s content 
  • Going to “IP Blacklist” will allow you to remove any IP addresses from your blocked list. You’ll also be able to get your website’s link off the list of sites that have blacklisted that IP. 
  • You can comment on IP Cloud to inform other website owners why you’ve blacklisted the IP address.

Also ReadHow to remove google blacklist warning message

Block IP range to prevent Brute Force Attack

The problem in all the above methods is that you need to find the IP address of the user. Though you can find it from the comment or server log, it is difficult for you to identify the severity of the attack. Sometimes, blocking single IP will not help since the attacker can use multiple IP addresses. In such case, you can use brute force attack plugins to block the previously identified attackers beforehand.

If you are using Jetpack plugin, enable brute force attack prevention under “Jetpack > Settings > Security” section. There are many other wordpress security plugins you can use to secure your site.

Is Your Website Secure?

Worried that your website may be open to attacks? Getting a security scan can help you identify any of your website’s malware, so you can get rid of them and get your site back in good shape. With Wp Hacked Help’s inspection, you get detailed, thorough clean-up reports on your website, informing you of any possible vulnerabilities. If you find any malicious code in your website we can fix your hacked wordpress site.

WordPress-Security-Scan-Malware-Removal

Final Thoughts

Thwarting hackers shouldn’t be as difficult as most website owners make it out to be. By blacklisting dodgy IPs using your dashboard, you can keep them out and prevent your site from falling victim to their attacks. 

That said, don’t expect user IPs to remain the same. Unwanted visitors can use different IPs to access your site. Even if you block them once, they may return with new addresses. That’s why we’d recommend that you routinely stick to one of these options we’ve mentioned above and quickly block new, malicious IPs every time they pop up.