Access to your WordPress administrator section can be restricted by IP address by adding rules for the website's .htaccess file. This is located in the public_html folder.
This may assist in mitigating brute force attacks targeting the administrator credentials.
Accessing the .htaccess file
You can access the .htaccess file by either:
- Using 'file manager' in cPanel to navigate to the file and selecting edit.
- SSH - If you have SSH access then you can edit the file using a text editor such as vim or nano.
Restricting access to a single IP address
Add the following rule to your .htaccess file, replacing " 999\.999\.999\.999 " with your own IP address, including the backslashes before the full stops e.g. 221\.121\.55\.145:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^999\.999\.999\.999$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>Restricting access to multiple IP addresses
Add the following rule to your .htaccess file, replacing " 999\.999\.999\.999 " with your own IP addresses, including the backslashes before the full stops e.g. 221\.121\.55\.145
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^999\.999\.999\.999$
RewriteCond %{REMOTE_ADDR} !^999\.999\.999\.999$
RewriteCond %{REMOTE_ADDR} !^999\.999\.999\.999$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>