One of the most common attack attempts against any WordPress-based website is trying to access the login page through brute force attacks or by overwhelming it with repeated requests. One way to protect your login area is to restrict access to the login file to one or several specific IP addresses.
 
In this guide, we explain step by step how to add an IP restriction to the .htaccess file located in the root directory of your hosting account.
 
Open the .htaccess file: First, open the .htaccess file located in the root directory of your website. If the file does not exist, you can create one. You can refer to the default configuration here: Default WordPress .htaccess.
 
Add the code to limit access by IP: Next, add the following code to your .htaccess file to restrict access to the WordPress login page to specific IP addresses:
 
<Files wp-login.php>
 order deny,allow
 deny from all
 allow from your_ip_address
 </Files>
 
Replace your_ip_address with the IP address you want to allow access from. If you want to allow access from multiple IP addresses, you can add multiple allow from lines, each with a different IP address.
 
Save the .htaccess file: Save the changes and upload the updated .htaccess file back to your hosting account if necessary.
 
After completing these steps, only the specified IP addresses will be able to access the WordPress login page (wp-login.php). Any other user or IP address attempting to access it will receive an “Access Denied” error.
 
Important: This method provides an additional layer of security but should not be considered your only security measure. It is highly recommended to combine this with other security practices such as using strong passwords, enabling two-factor authentication, installing security plugins, and keeping WordPress core, themes, and plugins up to date.