Ripefruit

  • About Us
    • About Us
      • Acceptable Use
      • Privacy Policy
      • T & C
    • Contact Ripefruit
    • In Progress
    • Not For Profit
    • Partners
  • What We Do!
    • Advertising
    • Publications
    • Web Design
  • Clients
    • Billing
    • Client Login
    • Resources
      • Friends
      • Service Status
    • Support
  • IT Talk
    • Domain Names
    • Hosting
    • Internet
    • Search
    • Services
    • Software
    • Technical
  • Contact Us
    • Contact Us
    • Site Map
You are here: Home / IT Talk / Software / Wordpress Admin Protection

WordPress Admin Protection

This post explains how WordPress owners can lock down and fully protect their website, and improve server performance.

It is achieved by denying access to WordPress Admin by allowing only known IP Addresses to access the area.

All Ripefruit hosting clients with WordPress are fully protected

If a client sees a 404 or 500 Forbidden notice on their WordPress Login page, clients simply contact us with their IP Address*

*How to get your IP Address: Google “What’s my IP Address”

WordPress Admin Protection

  • How to Limit Access (scroll down)

Article: WP Admin Security

WordPress: Use IP restrictions to limit access to /wp-admin/

The administrative area of a web application is very sensitive, and if compromised, the consequences can be devastating. WordPress is no exception. One effective measure is to limit access to /wp-admin/ so that only requests originating from a set of known IP addresses can access the administrative area.

This measure is highly recommended for website owners wanting to protect their WordPress admin which will also improve website performance.

Background

A little while ago we noticed our server becoming slow, unresponsive and sluggish.

We ran a query against logs to find web sites with WordPress were being bombarded with hits to wp-login.php (standard login address for all WordPress websites).

The results:

Attempts – Domain name

116 xxxxxxxxxxxx.com.au
116 xxxxxxxxxxxxxxxxxxxxxxx.edu.au
219 xxxxx.info
424 xxxxxxxxxxxxxxxxxxxx.com
527 xxxxxxxxxxxxxx.be
535 xxxxxxxxxxxxxxx.com.au
535 xxxxxxxxxxxxxxx.com
539 xxxxxxxxxxxxxxxxxx.com
840 xxxxxxxxxxxxxxxxxxxx.info
1076 xxxxxxxxxxxxxxxxxxxx.com
2181 xxxxxxxxxxxxxxxxxxxxxxxxxxx.com
3386 xxxxxxxxxxxxxxxxxxx.com.au
3413 xxxxxxxxxxxxxxxxxxxx.com.au
4557 xxxxxxxxxxxxxxxxxxxxx.com.au

That is a lot of “un-authorised” traffic.

Keep in mind, it’s not only the traffic numbers to the page, but every login attempt is processing the request.  That amounts to thousands of processing minutes and unnecessary load on the server, not forgetting in most cases, it is a hacker trying to get in.

Considering we’re talking about one page (wp-login.php), we looked at how to only process legitimate requests.

Yes, there are plugins that rename the login page which stops some attempts but we wanted to block all login attempts, 404 errors and failed logins

We found a WordPress plugin which can handle this type of blocking, all-in-one-wp-security-and-firewall has a feature that will block IPs that hit a 404 error too many times.

Again, the issue here is the server has to “process” the illegitimate attempts before it blocks the IP, so why not work the other way round.

Why not BLOCK access to the login page to all but ‘known’ IP Addresses.

By adding this code to a htaccess file, you have your answer.

  • No more failed logins
  • No server drain
  • 100% Secure
  • Easy to do and maintain


How to Limit Access: htaccess Code

# Add the code below to htaccess to allow specific IPs

<FilesMatch "^wp-login.php$">
Order deny,allow
allow from xxx.xx.xx.xx
allow from xxx.xx.xx.xx
Deny from all

ErrorDocument 403 "Access forbidden. See .htaccess file to allow trusted IPs"

Replace xxx.xx.xx.xx with the IP address you wish to allow access.

Only experienced users should attempt to implement this security measure

  • Text File < code

What IP Address?

Google and search for “What’s my IP Address”

The above IP blocking considerably improved server performance and increased security to admin.



Please LIKE or tell a friend..



Post Views: 227

Also See..


  • Fixing WordPress Speed Issue
  • Best WordPress Security Fix
  • Wordfence Alert Alert
  • Hacked WordPress | What Next?
  • iThemes WordPress Security Webinar – Free

Recent Posts

  • How We Solved a Encoding Issue (Thanks to ChatGPT)
  • Windows 11 Not Seeing Keyboard at PIN Login = Fix
  • WooCoomerce: Buy Now + Affiliate Link + Cart – FIXED

About Brian King

Managing director and senior editor at Ripefruit Media

  • Email
  • Facebook
  • Twitter
  • YouTube

For Advertisers

  • Advertising FAQ
  • Contact Us
  • Content Changes
  • Website Network

IT Talk

  • How We Solved a Encoding Issue (Thanks to ChatGPT)
  • Windows 11 Not Seeing Keyboard at PIN Login = Fix
  • WooCoomerce: Buy Now + Affiliate Link + Cart – FIXED
  • Why WP Engine Affiliate program migration from ShareASale to Everflow is a WASTE of time
  • how to hide nvidia pop up
  • Facebook Wishlist: Edit Featured Pin’s
  • What is the best shopping cart?
  • file explorer not responding FIX

Keywords

admin affiliation attack australian avg brute force business cache change domain name ebay email facebook fix form for sale fraud google hosting how to htaccess image ip ip address LastPass mobile password Phishing pin plugin ranking removal remove responsive scam security seo software spam toontown web site website Wordfence wordpress wpmu dev

SiteMap

  • About Us
  • Acceptable Use Policy
  • Advertising
  • Contact Us
  • Digital Publications
  • Domain Names
  • Email
  • Home Page
  • Hosting
  • Internet
  • Publishing
  • Software
  • Technical
  • Search
  • Services
  • Web Design
  • About Us
  • What We Do!
  • Clients
  • IT Talk
  • Contact Us


Copyright © 2025 · Ripefruit

Ripefruit acknowledges and pays respect to Aboriginal and Torres Strait Islander Elders past, present and future. We commit to building a kind future for everyone.