Recently, after our guide on limiting WordPress login attempts went live, our site faced a sudden wave of attacks—39 IP blocks in mere hours. Testers experimenting with the plugin or genuine hackers? Either way, we bolstered defenses by restricting IP access to wp-login.php. Our WP Admin directory was already IP-whitelisted; this tutorial shares our proven method for the login file.
Note: This is for intermediate users comfortable editing server files.
Open your root .htaccess file and add this code at the very top, before other directives:
<Files "wp-login.php">
Order Deny,Allow
Deny from all
# Whitelist West Palm Beach IP
Allow from xx.xxx.xx.xx
# Whitelist Gainesville IP
Allow from xx.xxx.xx.xx
</Files>Replace placeholders with your static IP addresses. Dynamic IPs pose a challenge here, as IP changes could lock you out. On our production sites, this setup flawlessly stops brute-force attempts. The login page stylesheet may look off from non-approved IPs—that's intentional and low priority.
For full WP Admin protection, check our 13 Vital Tips and Tricks to Protect Your WordPress Admin Area.