Blocking access to your WordPress dashboard

WordPress iconOne of the most fool-proof ways to protect your WordPress Dashboard is to block everyone (except yourself) from getting to it. If your site only requires a few people be able to log in, this is the best way to keep your site safe. Even if you have a larger network of authors, members, contributors, etc., you can at least block attempts which aren’t sent from your login page, which will help protect against some bot attacks.

In either case, you may also want to install a security plugin like Better WP Security to ensure you’ve covered all your bases.

Blocking Everyone (except you)

To start blocking access, you need to:

  1. Determine the IP address of everyone who need to access the site. You can do this by going to a site like What Is My IP.  You’ll want to do this from every computer which needs to gain access to the site.  As well, you’ll want to be aware that these may change periodically, so you may need to go back and make updates.
  2. Log into your Hosting Control Panel. This document should have been provided when we set up your website/hosting.  If you do not have this, please contact us.
    • Go to ‘Websites & Domains’ at the top of the page.
    • Click ‘File Manager’
    • Click the ‘httpdocs’ folder
    • You’re looking for a filed called ‘.htaccess’ which should appear near the top of the list.  (Note: If you don’t see it, you may need to create a new file, using ‘Add New File’ at the top of the page.  Click this, choose ‘Create a file’, enter the name as .htaccess, and click okay.)
    • Click the pencil icon next to ‘.htaccess’
    • If you have one or more IP addresses to add, go to the very end of the file, add two line breaks, and then paste in the following:<IfModule mod_rewrite.c>
      RewriteEngine on
      RewriteCond %{REQUEST_URI} ^(.*)?wp-login.php(.*)$ [OR]
      RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
      RewriteCond %{REMOTE_ADDR} !^192.168.1.1$
      RewriteCond %{REMOTE_ADDR} !^192.168.1.1$
      RewriteCond %{REMOTE_ADDR} !^192.168.1.1$
      RewriteRule ^(.*)$ – [R=403,L]
      </IfModule>

      Replace 192.168.1.1 with your IP address(es), ensuring the forward slash remains before each period. Delete any extra lines, or copy and paste if you have more than 3 IPs.

    • Click ‘Save’
  3. Go to your website, and ensure everything is loading okay. Check to ensure that you can get to the WordPress login page and access your Dashboard. If you have any issues with the site, double check your .htaccess file to ensure you haven’t missed a slash. If in doubt, remove the new lines and try again. If you’re sure you’ve done everything right and this still isn’t working, skip down and try the method below, or contact us for assistance.
  4. If possible, ask someone outside your computer network if they can try to get to your WordPress login. If not, then you’re all secured.
  5. If, in future, you get an error when you try to visit your WordPress dashboard, you likely need to update your IP address. Replace the old one with the new one using the same steps described above.

Preventing attempts not sent from your login page

If you can’t pinpoint the particular IPs, then you’ll want to:

  1. Log into your Hosting Control Panel. This document should have been provided when we set up your website/hosting. If you do not have this, please contact us.
    • Go to ‘Websites & Domains’ at the top of the page.
    • Click ‘File Manager’
    • Click the ‘httpdocs’ folder
    • You’re looking for a filed called ‘.htaccess’ which should appear near the top of the list. (Note: If you don’t see it, you may need to create a new file, using ‘Add New File’ at the top of the page. Click this, choose ‘Create a file’, enter the name as .htaccess, and click okay.)
    • Click the pencil icon next to ‘.htaccess’
    • Go to the very end of the file, add two line breaks, and then paste in the following:<IfModule mod_rewrite.c>
      RewriteEngine on
      RewriteCond %{REQUEST_METHOD} POST
      RewriteCond %{HTTP_REFERER} !^http://(.*)?example.com [NC]
      RewriteCond %{REQUEST_URI} ^(.*)?wp-login.php(.*)$ [OR]
      RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
      RewriteRule ^(.*)$ – [F]
      </IfModule>

      Replace example.com with your domain name, ensuring the forward slash remains before any periods.

    • Click ‘Save’
  2. Go to your website, and ensure everything is loading okay. Check that you can get to the WordPress login page and access your Dashboard.

If this is all a bit overwhelming, don’t worry, we’re here to help. For only $25-35, we’ll take care of this for you. Send us an email, and let us know which method of protection you’d prefer, along with a list of the allowed IP addresses, if you’d like to go that route. Our team will install the protection rules for you, and let you know when we’re done so you can enjoy secure access your Dashboard. Please note that if you’d like us to make changes in the future to update your IP address(es), these will be billed at our regular hourly rate.