whitelist IP addresses in WordPress

Securing your WordPress website is one of your most critical management duties. A lot of websites find themselves the targets of random attacks, and if yours makes it onto that list, your site and its data could be at risk. To help avoid this problem, one security tip is to learn how to whitelist IP addresses in WordPress.

This feature makes it so that only the people you trust will have access to your dashboard. It works at the server level, so anyone who tries to log in without authorization won’t even be able to see your WordPress login page. Plus, it’s simple enough to implement, as long as you don’t mind copying and pasting a few lines of code.

In this article, we’ll talk about what whitelisting is and how it works. Then we’ll teach you how to whitelist IP addresses in WordPress with two simple steps. Let’s get to work!

What whitelisting is (and why it’s effective)

An example of an IP address.

Restricting access to your dashboard is one of the best security measures you can implement.

IP addresses are usually strings of numbers separated by periods that identify specific internet networks. For example, your home internet connection has its own IP address that it uses to interact with the rest of the web.

‘Blacklisting’ an IP address means to block a specific set of IP addresses, while ‘whitelisting’ allows access to just a specific set of IP addresses.

That is – when you whitelist an IP address on a website, you grant access only to a specific network. A user can switch devices on that network, but they’ll need to be connected to a network with whitelisted access to reach the backend of your site.

As you can imagine, this security feature offers a lot of advantages, because it:

  • Enables you to control who accesses your website. Limiting access only to specific IP addresses can help you prevent attacks on your site.
  • Is more effective than implementing login security measures. Think of your login screen as a door to which many people have keys. When you implement an IP whitelisting feature, you essentially designate a full-time security guard that makes sure only the people you’ve approved can enter that door.
  • Is easy to implement. If you’re a WordPress user, you can enable this feature by adding a few lines of code to one of your core files. It’s very simple, even if you’re not a developer.

It’s important to note that in most cases, you won’t want to limit access to your entire website unless it’s purely a staging site. Rather, you’ll just want to secure your back end and its login page.

Potential disadvantages of using this method

Of course, whitelisting IP addresses in WordPress can get tricky if you’re part of a large team. You’ll need to convince everyone to share their IPs with you, and figure out what to do for users with dynamic addresses (IPs that change regularly).

Additionally, if you use this method, you won’t be able to access your site’s backend dashboard if you’re at a cafe or on vacation without updating the list of whitelisted IP addresses (because you’ll have a different IP address).

In our experience, the best way to approach these problems is to use a VPN service that offers your team members dedicated IP addresses. Then, as long as they remember to log into the service before trying to access your back end, they shouldn’t encounter any problems.

How to whitelist IP addresses in WordPress (in two steps)

Now that you understand the reasons to whitelist IP addresses in WordPress, it’s time to learn how to make it happen. As we mentioned earlier, you’ll need to tweak one of your WordPress files manually to implement this feature. Don’t worry – the process is simple, and we’ll guide you through every step.

Before we jump in, it’s a smart idea to back up your site just in case. Then, make sure you have a list of all your team members’ IP addresses ready. To find out what their (and your) IPs are, they can use a simple tool such as IP Location Finder. All they’ll have to do is visit the site, take note of their IP addresses, and share them with you.

Step #1: Locate your .htaccess file

The file we need to modify for this feature to work properly is called .htaccess. It’s a WordPress core file that communicates directly with your server and enables you to set up ‘rules’. In this case, we’re going to tell it to block access to your dashboard login page for IPs not on an approved list.

To do that, you’ll first need to access your site’s back end using an FTP client, such as FileZilla. You’ll need your FTP login information, which you should be able to find within your web host’s control panel or in the email they sent you when you signed up for your plan:

An example of an FTP account.

Once you have your credentials, access your website via FTP and head to WordPress’ root folder. This directory is often called either public_html or www, or is named after your site. Open it, and look for the .htaccess file within:

Editing your htaccess file to whitelist IP addresses in WordPress

Now, right click on the file and choose the option that reads View/Edit. This will open the file locally, using your default text editor. Keep the file open for now, and let’s move on to the next step.

Step #2: Whitelist an IP address by editing your .htaccess file

To whitelist a set of IP addresses, you’ll need to copy and paste the following code into your .htaccess file (with a few changes):

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^IP_ADDRESS_ONE$
RewriteCond %{REMOTE_ADDR} !^IP_ADDRESS_TWO$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

This code snippet restricts access to both your dashboard and its login page. Whenever someone attempts to access either one, WordPress will check their IP against the addresses in your list. If one of them is a match, they’ll be let through.

In the example above, you can see there are two placeholders for individual IP addresses (IP_ADDRESS_ONE and IP_ADDRESS_TWO). You can add as many lines as you want following the same format, one right below the other, replacing the placeholder text with the actual IPs. Make sure to leave the “^” and “$” symbols before and after the IP address, though.

Here’s what the code should look like for a site with three whitelisted addresses:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^190.36.268.21$
RewriteCond %{REMOTE_ADDR} !^190.43.281.27$
RewriteCond %{REMOTE_ADDR} !^190.67.302.44$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

To avoid confusion, you should add this snippet to the bottom of your .htaccess file, below its default rules. When you’re ready, save your changes and test that your new security feature is working by having each whitelisted user try and log in. Whenever you gain or lose team members, you can simply return to the file and add or delete IP addresses as necessary.

Now, anyone who isn’t connected to one of the whitelisted IP addresses will see something like this if they try to access your dashboard:

what happens to those for whom you didn't whitelist IP addresses in WordPress

Conclusion

Learning how to whitelist IP addresses in WordPress is simple, and it’s a highly effective way to protect your website from intruders. Do keep in mind that if you want to implement this security measure, you’ll have to ask all your co-authors for their IPs, and figure out a way for those with dynamic addresses to be able to do their jobs.

Additionally, you should remember that this method isn’t always ideal if you find yourself constantly working from different locations (unless you pay for a dedicated IP address from a VPN).

Once you’ve taken care of those tasks, here’s how to whitelist IP addresses in WordPress in two short steps:

  1. Locate your .htaccess file.
  2. Whitelist all the IP addresses you need by adding the provided code snippet to the file.

Do you have any questions about how to whitelist IP addresses in WordPress? Let’s clear them up in the comments section below!

Free guide

5 Essential Tips to Speed Up
Your WordPress Site

Reduce your loading time by even 50-80%
just by following simple tips.

Download free guide