How to set IP Restrictions to the WordPress Login Page

WordPress does not restrict login attempts by default. The user is free to try any combination any number of times. This generosity of WordPress enables the hacker to use an attack known as brute force.

Brute force is simple and straight forward attack used by a hacker to gain access to a site. The target is not a known vulnerability in the software. Instead, username and password combinations are tried until one passes the check.

Brute force attacks are highly successful when the user uses a common name like admin and the password is short or found in the dictionary or as common as 12345678.

Brute force attacks are not guaranteed to succeed. But your server may still end up dead, being unable to handle the raw volume of requests generated by the attack.

By setting IP restrictions to the WordPress login page, you can protect your WordPress site from brute force attacks. In this tutorial, we will show you how to set IP restrictions to the WordPress login page on both Apache and Nginx web server.

 Set IP Restrictions to the WordPress Login Page

The first thing you need to set IP Restrictions to the WordPress Login Page is the IP address you want to whitelist. This is easily done. Google will tell you your IP address if you type what is my IP. If you want to log in from multiple IP addresses then you need to get all of those IP addresses.

We will be modifying server settings here. Depending on whether you are using Apache or Nginx, do the following

Apache Users

If you are using Apache, then locate your server configuration file. Look for the virtual hosts file. If you don’t have access to your server configuration file then locate the .htaccess file. It should be present in the root directory of your server.

Nginx Users

Locate the server configuration block. Depending on how your server is configured, if may be in a separate configuration file or in the main server configuration file. Check the main configuration file and any additional files. Normally, you should check the following locations

  • /etc/nginx/
  • /etc/nginx/sites-enabled/
  • /etc/nginx/conf.d/

Backup

Make sure to backup the server configuration file before you move any further. Even the smallest error in the configuration file will bring down your host server. The backup will help you when things don’t go so well.

Secure WordPress login from Static IP Address

If all users who log in to your site use static IP address (fixed IP address) then follow this method.

Apache Users

Edit the configuration file and add the following lines of code. If you are editing a virtual host then add it in the proper virtual host section. If you are editing .htaccess then just add it to the top of the file.

<IfModule mod_authz_core.c>
    <Files wp-login.php>

        ErrorDocument 403 http://example.com/error/404

        <RequireAny>
            Require ip x.x.x.x y.y.y.y z.z.z.z
        </RequireAny>

    </Files>
</IfModule>

The above code relies on the mod_authz_core module. This module is available in Apache version 2.3 and later.

Any request to the wp-login.php file that does not originate from a white list IP will be denied. We are also redirecting 403 HTTP response code to 404.

First, change http://example.com/error/404 to the location of your 404 page.

Next, add all IP addresses that you want to whitelist by changing

Require ip x.x.x.x y.y.y.y z.z.z.z
to something like
Require ip 1.1.1.1 2.2.2.2 3.3.3.3

Add as many IP addresses that you need separating each using a space character.

Nginx Users

Add the following lines of code to the server block of the configuration file.

location ~* (wp-login)\.php$ {
    allow   1.1.1.1;
    allow   2.2.2.2;
    allow   3.3.3.3;
    deny    all;
}

Edit the above code and change 1.1.1.1, 2.2.2.2 and others to the IP addresses you want to whitelist for login. You can white list as many IP addresses  as you want. Just add a new line for each IP address.

If you are using PHP CGI then you will need to include the CGI parameters. This is because Nginx uses a single location block. Your configuration may look something like this

location ~* (wp-login)\.php$ {
    include fastcgi_params;
    allow   1.1.1.1;
    allow   2.2.2.2;
    allow   3.3.3.3;
    deny    all;
}

Secure WordPress login from Dynamic IP address

If you are using Dynamic IP addressing (your IP address changes every now and then) then this is the method for you.

Attackers normally use bots to perform brute force attacks. To counter bots, we check whether the request originated from your server. All requests from other servers are blocked from accessing the login page.

Apache users

Add the following lines of code to the Apache configuration file

<IfModule mod_authz_core.c>
    <Files wp-login.php>

        ErrorDocument 403 http://example.com/error/404

        <If "%{REQUEST_METHOD} == 'POST'">
            <RequireAll>
                Require expr %{HTTP_REFERER} =~ /.*example.com.*/
            </RequireAll>
        </If>

    </Files>
</IfModule>

The first part of the code is similar to the code we used earlier for static IP addresses. Edit and update the line

Require expr %{HTTP_REFERER} =~ /.*example.com.*/

and change example.com to your domain name. Just like earlier, you will also need to change http://example.com/error/404 in

ErrorDocument 403 http://example.com/error/404

to the location of your 404 page

Nginx Users

Locate your server block in the configuration file and add the following lines of code

location ~* (wp-login)\.php {
    if ($http_referer !~ (example.com)) {
        return 403;
    }
}

Edit the above code and change example.com to your domain address.

Again, if you are using PHP CGI then you will you will need to include the CGI parameters. Your settings may look something like

location ~* (wp-login)\.php {
    if ($http_referer !~ (example.com)) {
        return 403;
    }
    include        fastcgi_params;
}

Note that we are returning HTTP Error 403 Forbidden response code. You can return 404 error code if you want.

Warning

The above technique relies on HTTP refer header which can’t be trusted! The attacker can easily set this header and bypass the above protection layer.

Play it safe – Limit Login Attempts

A simple way to prevent brute force attacks is to limit the number of failed login attempts. Let’s say block any user for an hour when he/she fails to log in after 3  attempts. This will protect you no matter whether you are using a static IP address or dynamic IP addresses.

There are many free plugins which can get this done. Check the official WordPress plugin repository.

Conclusion

We hope you found this tutorial useful and managed to set IP Restrictions to the WordPress Login Page on Apache and/or Nginx web server. Drop us your feedback in the comments section below.

How to make Ajax Cacheable

Next Article

How to make Ajax Cacheable

Tapas Pal

Tapas pal is the founder of layerpoint.com and he is an avid Internet geek enthusiast and writer has deep interest in technology, Digital Marketing and love tools that increase human productivity.