Access to your WordPress administrator section can be restricted by IP address by adding rules for the website's .htaccess file. The file is located in the public_html folder.
The file may assist in mitigating brute force attacks targeting the administrator credentials.
Accessing the .htaccess file
You can access the .htaccess file by using either of the following methods:
Use the 'File Manager' in cPanel to navigate to the file and select “Edit”.
SSH - If you have SSH access, then you can edit the file using a text editor, such as vim or nano.
Restricting access to a single IP address
Add the following rule to your .htaccess file, replacing " 999\.999\.999\.999 " with your own IP address, including the backslashes before the full stops e.g. 221\.121\.55\.145:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^999\.999\.999\.999$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>Restricting access to multiple IP addresses
Add the following rule to your .htaccess file, replacing "999\.999\.999\.999" with your own IP addresses, including the backslashes before the full stops, e.g., 221\.121\.55\.145.
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^999\.999\.999\.999$
RewriteCond %{REMOTE_ADDR} !^999\.999\.999\.999$
RewriteCond %{REMOTE_ADDR} !^999\.999\.999\.999$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>