Limit WordPress WP-Admin Access To Specific IPs - Keep Brute Force Hackers Out | WP Learning Lab
HTML-код
- Опубликовано: 30 сен 2024
- 🔥Name Your Own Price🔥 for the 11-Point WP Security Checklist Smart PDF: wplearninglab....
Code from the tutorial:
BEGIN Restrict WP-Admin Access To Specific IPs
Order Deny,Allow
Allow from 123.456.789.111
Deny from all
END Block WP-Admin Access To Specific IPs
In this tutorial I'm going to show you how you can disable wp-admin access to only IP addresses that you specify.
This works great if you have a static IP or a known dynamic IP range that you always access the internet from. This technique is still doable if you travel a lot and access your site from a lot of different locations (and thus different IPs), but it's more of a pain in those cases.
The major benefit of this technique is that if someone does successfully crack your username and password they won't be able to get to your WordPress admin dashboard because their IP won't be allowed.
So the first step is to create an .htaccess file in your WordPress wp-admin folder. Let's do that.
First login into your hosting account cPanel. Then find and click on the File Manager icon and choose the Document Root for the website that you are hardening. This will open the root of the website in another tab.
Then double click on the wp-admin folder to open it.
You can also log into the website root using FTP if you are more comfortable with that.
If you do not see a .htaccess in the wp-admin folder (you probably won't see one) then you can make one by clicking Add New File in the File Manager or right-clicking and choosing Create New File via FTP.
Open the .htaccess file you just made and paste the code from above into it. Then you'll need to find your IP by going to Google and typing in "What is my IP?". Google will display your IP just below the search bar. Copy it and use it to replace the dummy IP in the .htaccess file.
Save the .htaccess file and you're wp-admin is security.
If you know that you have a dynamic IP in a certain range you can use this handy generator to cover all your possible IPs using variables and wildcards (www.toshop.com/....
If you want to add more IPs then just duplicate the "Allow from IP" line as many times as you need to and add the additional IPs.
That's all there is to prevent wp-admin access. Now you've done your WordPress security for the day. Time to take a break! Or better yet, watch the next video.
I hope this information helps you! If you have any questions leave a comment below or ping me @WPLearningLab on Twitter.
--------------
If you want more excellent WordPress information check out our website where we post WordPress tutorials daily.
wplearninglab.com/
Connect with us:
WP Learning Lab Channel: www.youtube.com...
Facebook: / wplearninglab
Twitter: / wplearninglab
Google Plus: google.com/+Wpl...
Pinterest: / wplearninglab
Hello. What is the difference between limiting access to wp-admin vs limiting access to wp-login? And what implications do both of these options have for eCommerce sites?
Good question. If you are not logged in and you go to /wp-admin then you'll be redirected to the /wp-login page. However, if you are logged in (or someone hacks in) and they go to wp-admin, then they'll be redirected to your WP dashboard. The wp-login page remains the login page whether your logged in or not.
For eCommerce sites, customers usually only have access to their account pages on the front end. They have no need to go into the WP dashboard. The only people who need access to the WP dashboard are you and people who work for you on the site.
So blocking all other IP addresses is a good security practice.
I hope that helps, let me know if you have any further questions. Thanks for watching!
@@wplearninglab Thanks for the reply! I have been researching this for a week, and surprised this isn't explained very clearly anywhere.
So, to clarify, if I have an eCommerce site, blocking all other IP addresses to the wp-admin won't affect my customers? Is this correct (because this is contrary to some of what I've read, but it was ambiguous about admin vs login)? And customers will still be able to login to front-end at /wp-login.php? Also, what if I rename the login page for extra security? They can still register/subscribe no problem? Thanks again for the LearningLab!
Hi ..thanks for this information
I have another problem I can't do any thing in my dashboard forbidden 403
You don't have permission to access this resource.
Hi WP learning, there is a big flaw in this system. it does not login, but when you go back to the homepage of the website, it shows you the homepage but as a logged in user. How can we fix this? It happens with WPS hide login. The other issue is that you can still login through /wp-login.php. Through wp-login.php, it will deny it access, but if you visit the home page after you try /wp-login.php, it will come back as a logged in user. Is there a solution to this?
thank you very mush
You’re welcome, thanks for watching!
I am adding my correct ip adress but still its not allowing me to access my admin.. Can anybody please help
doesnt the ip change when you reboot your static pc and reconnect again to the internet?
Hi I know this is not related but I was in my wordpress and saw the force http and once I activated it my wordpress temporarly shut down, you know the error message that you get when google tells you that is site is temporarily down what do I do
Hi Marcelino,
When you de-activate it does the site come back up? Did the Google error message mention anything about a "loop"?
what about wp-login.php? An ex web development company are terrorising my client, they are using this page to try and login.
Hi Elle,
That doesn't sound like a fun experience. The first thing I would try is moving the login page. If they can't find the login page, then they can't login. Check out this tutorial: ruclips.net/video/p7qxSptZif0/видео.html
Blocking their IP may work, but if they're crafty they'll just try from other IPs.
I hope that helps. Let me know how it goes!
@@wplearninglab I followed your other tutorial (great tip by the way), but it has not worked. I have blocked wp-admin and wp-login.php, and they are still attempting to login about three times an hour. I don't have a clue how they are able to do it. I have set up a limit login attempt, they are bouncing their IP around using a VPN. I have put a captcha at the login page as well, but even if the bot doesn't complete the captcha it still registers as a failed login. These people are crafty and I have no idea what next step to take. Thank you for your tutorials though, they have gotten me this far.
If your internet provider is assigning you a dynamic IP address every time you login, this would not work for you, correct?
+GManGT That's correct. However, your ISP likely assigns a dynamic IP inside of a range of IPs. So you could limit access to that range of IPs. Which isn't the best-case scenario, but it could still be useful.
Man please help. On my ip i have access denied when i try to login, from any other ip i can access my login page except my home ip, i tried this method with deny and allow from my ip on .htaccess but it does not work, only if i change my ip adress that is when i can access wp-login.php page. Sorry for bad english is not my first language.
EXCELLENT, SIMPLE & EFFECTIVE - This is a great video & you're the only one who's nailed it with pure simple logic.
Thanks!
+xINFINITELOOPx That's what I like to hear! Thanks for the great feedback and thanks for watching!
You can still have access through wp-login.php. It doesnt completely work
Could you please do a video on How to block libwww-perl
Thanks for the suggestion. I've put it on my list!
Hello. Please help me understand. I want Administrators, Editors, and Authors to have the ability to access the dashboard; while also allowing Customers to login or register to my front end. This arrangement seems like what most WordPress Administrators would want. But what I don't understand is why any other user-role (ie: Subscriber) would need access to the dashboard.
Furthermore, from my understanding, doesn't limiting access to the dashboard (like this video shows with IPs) prevent e-Commerce sites from working because Customers won't be able to login unless their IP is whitelisted?? Or have I misunderstood?
This seems incredibly strange to me because - how many websites want Subscribers to have access to the dashboard (very few) vs how many e-Commerce sites need to have Customers able to subscribe (nearly all)?
It seems to me that the default should be preventing Subscribers from accessing the dashboard, rather than default allowing them access. Please explain. Thanks for your great work! (ps - I'd rather not install another plugin for this purpose).
Hi there, I'm just putting together a WP site on a local server, using Instant Wordpress. I'm adding security before I upload the files to a remote server but every time I try to use this method, I'm Forbidden? Can I develop these types of security measures using a local server? I'm having the same issues when I modify the config file? Any advice is appreciated in advance, as I have limited knowledge in using WP!
Cheers
Rich
Thank you for the informative video. If I follow what you did with the .htaccess file (and put it into the WP-ADMIN folder), will it be enough to stop hackers from hacking my website?
I dont know why this isn't working for me
Hi Endri,
Have you confirmed it's not working by blocking your own IP and seeing if you're locked out?
For some reason my IP address changes for every browser from the same location? Is that normal? Every browser gives me a new IP? Any suggestions? Is there a way to block login based on the Country name or Country IP?
Hi, where can i find the code mentioned that is below the video? thank you
Hi thanks for your helpfull contents. I have an online training site where instructors can register and teach. If a user submits a comment, I don't want the article notification email sent to the instructors. That is, only the administrator can see and validate or refuse. Do you know how to fix it ?
Instead of a single IP, is there a way of adding Geo Location so access will only be permitted from UK for instance and no other country besides UK?
Yes you are correct. I wanted to have the homepage accessible to everyone and the other pages on your website accessible only to certain IP addresses
Will this method work with WPS Hide Login?
Yes, it should. The IP block prevent access to the admin pages, no matter where the login page is located.
I hope that helps and thanks for watching! Let me know if you have any further questions :)
@@wplearninglab Hi WP learning, it did not work for me. im on digitalocean on a ubuntu server. Any idea why this didn't work for me?
How to allow Itheme security plugin to access wp-admin
dude, THANKS!!
You’re welcome, thanks for watching!
what if you need to allow 2 seperate IP addresses?
Thank you.
You're welcome Gary, thanks for watching!
sir you are very helpful!
Is there a way to restrict WP Admin access based on location?
That's exactly what he just explained !!
Can you use this for certain pages leaving the home page accessible to everyone?
Stephen Good Hi Stephen. If I understand correctly you want to have the homepage accessible to everyone and other pages on your website accessible only to certain IP addresses? Is that correct? If so, there might be easier options that .htaccess tweaks.
WP Learning Lab Yes you are correct. I wanted to have the homepage accessible to everyone and the other pages on your website accessible only to certain IP addresses
Thank you !
You're welcome Noisabe. I'm glad I could help and thanks for watching!