◦ Comprehensive security
◦ 24/7 support
WordPress Guide → Security → Restrict WordPress IP
How to restrict a WordPress IP with the .htaccess file
Want to block specific IPs or limit access to your WordPress admin area? The .htaccess file lets you do that without a plugin. Here’s how to get it right.
What is the .htaccess file in WordPress?
The .htaccess file is a configuration file used by Apache web servers, including most WordPress hosting environments. It controls key server-level functions like redirects, permalink structures, and access permissions.
In WordPress, you’ll find it in the root directory—typically public_html. With the right rules in place, you can block IP addresses, restrict access to sensitive files, or lock down your admin area. It’s a powerful tool, but make sure to edit it carefully.
1. Locate and edit your .htaccess file safely
Before making changes, always back up the file:
- Use cPanel File Manager or an FTP client like FileZilla to connect to your site.
- Navigate to the root directory where WordPress is installed.
- If you don’t see .htaccess, enable “Show Hidden Files” in your settings.
- Download a copy of the file to your computer for safekeeping.
- Open the file using a plain text editor like Notepad or VS Code.
Once you’re in, you’re ready to start customizing access.
2. Block a specific IP address from accessing your site
To block a known malicious or spammy IP from viewing your entire website, add the following code to .htaccess:
<Limit GET POST> order allow,deny deny from 123.123.123.123 allow from all </Limit>Here’s what each line does:
- <Limit GET POST>: Targets GET and POST requests.
- order allow,deny: Tells Apache to evaluate “allow” rules first, then apply “deny” rules.
- deny from 123.123.123.123: Blocks the specific IP.
- allow from all: Lets everyone else in.
You can add multiple deny from lines to block several IPs.
3. Allow only specific IPs to access the wp-admin directory
Locking down the admin area is a strong security measure, especially if your team uses a static IP.
Option 1: Add this to your site’s main .htaccess:
<Files wp-login.php> order deny,allow deny from all allow from 111.111.111.111 </Files>This only protects the wp-login.php file, which is the WordPress login form. It doesn’t restrict access to other parts of /wp-admin/.
Use case: When you want to block access to the login screen but still allow the dashboard assets (like admin-ajax.php) to load for certain frontend functionality (e.g., AJAX features).
Option 2: Create a separate .htaccess inside the /wp-admin/ folder:
order deny,allow deny from all allow from 111.111.111.111This locks down the entire admin area. Any request to a file within /wp-admin/ is blocked unless it’s from an allowed IP.
Use case: When you want to harden access to the entire admin interface, not just the login page. However, it may block legitimate AJAX calls from the front end unless exceptions are added.
4. How to block an IP from accessing wp-login.php
Sometimes you only want to prevent login attempts, not full site access. To block an IP from just the login page:
<Files wp-login.php> order allow,deny deny from 222.222.222.222 allow from all </Files>This prevents brute-force attacks or bot login attempts while leaving your content publicly accessible.
5. Use CIDR notation to block IP ranges
If you’re dealing with a bot network or a known bad IP block, CIDR lets you deny entire IP ranges:
deny from 192.168.1.0/24
That example blocks all addresses from 192.168.1.0 to 192.168.1.255. Use this sparingly—it can unintentionally block real users, especially on mobile networks.
What happens when you block an IP?
Blocked users won’t get a polite message. They’ll just see a plain 403 Forbidden error when trying to access your site or the restricted areas.
This happens silently. There’s no alert to the blocked user, and your site works normally for everyone else. That makes .htaccess blocking ideal for cutting off known offenders without disrupting traffic.
Tip: Use comments to stay organized in your .htaccess file
It’s easy to lose track of changes in .htaccess. Add comments to label what each rule is doing:
# Block known spammer deny from 123.123.123.123 # Allow only office IP to access wp-login <Files wp-login.php> order deny,allow deny from all allow from 111.111.111.111 </Files>Comments start with # and don’t affect functionality. This helps you avoid mistakes and makes your rules easier to review later.
Common mistakes and troubleshooting tips
Even a tiny typo in .htaccess can take down your whole site. Here’s how to avoid disaster:
- Always back up the file before making changes.
- Use a staging site or maintenance plugin while testing.
- Don’t mix up order allow,deny and order deny,allow—it changes how rules are applied.
- If you get locked out, use FTP or your host’s file manager to restore the backup.
Tip: If your host supports .htaccess overrides, you can use an .htaccess inside /wp-admin/ or other directories for localized rules.
Bonus: How to whitelist your dynamic IP with a DNS service
If your IP address changes often (which is common with home ISPs or mobile connections), use Dynamic DNS (DDNS) to manage access:
- Sign up for a free DDNS service like No-IP or DynDNS.
- Set up a subdomain that points to your current IP.
- Install their auto-updater to keep the record current.
- Add this to your .htaccess (only works if your server supports reverse DNS):
Allow from yoursubdomain.no-ip.org
This gives you a secure, flexible way to restrict admin access without needing a static IP.
Next steps for restricting WordPress IPs with .htaccess
Blocking or restricting IPs with .htaccess is one of the fastest and most reliable ways to tighten WordPress security and reduce unwanted traffic.
If you’re new to this kind of file editing, your next step is to back up your .htaccess and experiment with a single IP block or allow rule. Start with your own IP to verify the rule works.
Ready to upgrade your WordPress experience? Professional hosting improves speeds, security, and reliability for a website and a brand that people find engaging and trustworthy.
Don’t want to deal with server management and maintenance? Our fully managed hosting for WordPress is the best in the industry. Our team are not only server IT experts, but WordPress hosting experts as well. Your server couldn’t be in better hands.
Click through below to explore all of our hosting for WordPress options, or chat with a WordPress expert right now to get answers and advice.
Additional resources
Comprehensive guide to securing WordPress with ModSecurity
→
This guide provides a comprehensive overview of how to use ModSecurity to enhance the security of your WordPress site.
How to restrict a WordPress IP with the .htaccess file →
Protect your WordPress site from MIME-type attacks by preventing content sniffing in browsers.
Why security matters for WordPress enterprise hosting
→
Use the blog as your guide to attacks to watch out for, security best practices, and steps to improve the WordPress protection you already have.