Protect WordPress login based on IP address
Photo by ~ A. Lehel M. thanks Alexander S. for the lovely Postcard.

One of the best ways to protect your WordPress login form from attackers, is to limit access to it based on IP addresses. This solution works for websites that only have a couple of users, meaning they do not have public registration. The following code will completely shield access to your login page from unknown computers.

Protect WordPress login based on IP address

Follow these steps to protect your wp-login.php from brute force attacks. KEEP IN MIND this method will not allow anyone outside the IP range to access your login form.

If you are not familiar with FTP clients and .htacces files you should consider other alternatives to protect your website. If you feel confident implementing a pretty draconian method, you can follow these steps:


  1. Connect to your website through an FTP client, such as FileZilla
  2. Back up your current root directory .htaccess file
  3. Paste the code in your .htacces file located in your websites route directory. Paste it outside the BEGIN/END Worpdress tags
    # BEGIN WordPress
    < NOT here!!, this gets overridden from time to time >
    # END WordPress
    <or here>
  4. Add your website domain name instead “” in the code
  5. Replace with your websites IP address, you can check your websites IP address here  : Find IP address of a website
  6. Replace with the first 3 octets of your home or work IP address (don’t forget the period after the third octet), you can check your IP address here Whats my IP
  7. Add as many IP address as you like, example: your home, your work or your favorite Starbucks if you write to your blog from there.


# Protect wp-login.php from Brute Force Login Attacks based on IP Address

<FilesMatch "^(wp-login.php)">

Order Allow,Deny
# Step 4. Add your website domain name
Allow from
# Step 5. Add your website/Server IP Address
Allow from
# Step 6. Add your Public IP Address using 2 or 3 octets so that if/when
# your IP address changes it will still be in your subnet range. If you
# have a static IP address then use all 4 octets.
# Examples: 2 octets: 65.100. 3 octets: 65.100.50. 4 octets:
Allow from
# Step 7. add more IP's  if needed
# Allow from



KEEP IN MIND this method will not allow anyone outside the IP ranges to access your log-in form including you. This means you will not be able to log in if your IP address changes or you are at your grandmothers house, you have to add the new IP address to your .htaccess file through FTP.

CREDIT: The Code presented in this post was based on a code snippet originally posted in one of BulletProof Security plugin’s forums. I highly recommend this plugin for people with a deeper understanding how .htacces files work.

Did you know? there is a Beer button on my website.