Restricting access to WordPress login by IP address

If you have a static IP address, like from your own VPN, it is very easy to increase your security tremendously. Simply restrict all logins to that IP address.

With Apache

Now, let’s say your public IP when logged into your VPN is 123.45.67.89. Simply add this to your .htaccess file:

<files wp-login.php>
  order deny,allow
  deny from all
  Allow from 123.45.67.89
</files>

And that’s it.

With Apache behind Varnish

Now, if you’re behind a reverse proxy like Varnish (like I am), things look a bit more complicated. Since all requests now look as they’re coming from your reverse proxy, the previous solution won’t work.

First, make sure your proxy is setting the X-FORWARDED-FOR header correctly. In Varnish you would have this in your vcl_recv block:

sub vcl_recv {

	[…]

	if (req.restarts == 0) {
		if (req.http.X-Forwarded-For) {
			set req.http.X-Forwarded-For = req.http.X-Forwarded-For + ", " + client.ip;
		} else {
			set req.http.X-Forwarded-For = client.ip;
		}
	}

	[…]
}

Now you can look for that header in your .htaccess file, like this:

<files wp-login.php>
  SetEnvIF X-FORWARDED-FOR "123.45.67.89" AllowIP
  order deny,allow
  deny from all
  Allow from env=AllowIP
</files>

And that’s it.

With Nginx

Update October 17, 2015: I’ve written a new post that not only is a huge improvement over the old method I described here, but also adds much more flexibility. Take a look at the post Restrict access to the WordPress dashboard by IP address in Nginx.

2 thoughts on “Restricting access to WordPress login by IP address”

  1. I struggled 2 days to restrict wordpress using nginx behind haproxy

    unfortunately nothing worked, finally downgraded back to apache and it works fine now.

    thanks your article helped me

    Cheer
    Zak

  2. Have you ever thought about creating an ebook or guest authoring on other sites? I have a blog centered on the same topics you discuss and would really like to have you share some stories/information. I know my subscribers would appreciate your work. If you’re even remotely interested, feel free to send me an e-mail.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.