Years ago, while running WordPress 2.8.3, our site was targeted in a hack attempt on the wp-admin folder. WordPress swiftly patched the vulnerability in version 2.8.4. To add an extra layer of protection based on this real-world experience, we restricted access to the wp-admin folder via .htaccess, allowing only specific IP addresses. This prevented unauthorized access to the login page, stopping brute-force password resets. As WPBeginner experts, we'll guide you through implementing this proven security measure.
First, locate the .htaccess file in your /wp-admin/ folder and back it up.
Important: Edit only the /wp-admin/.htaccess file—not the root .htaccess. If it doesn't exist, create a new .htaccess file in the wp-admin directory.
Add the following code:
Order Deny,Allow Deny from all # Syed's IP Allow from xx.xx.xx.xxx # David's IP Allow from xx.xx.xx.xxx # Amanda's IP Allow from xx.xx.xx.xxx # Muhammad's IP Allow from xx.xx.xx.xxx # Work IP Allow from xx.xx.xx.xxx
Replace the placeholders (xx.xx.xx.xxx) with your actual IP addresses, then upload the file.
If you connect from multiple locations (e.g., home, office, mobile), list all relevant IPs. You'll need to update the file for new IPs, but this method keeps your wp-admin secure from prying eyes.
