Restricting access to WordPress login by IP address

If you have a static IP address, like from your own VPN, it is very easy to increase your security tremendously. Simply restrict all logins to that IP address.

With Apache

Now, let’s say your public IP when logged into your VPN is 123.45.67.89. Simply add this to your .htaccess file:

<files wp-login.php>
  order deny,allow
  deny from all
  Allow from 123.45.67.89
</files>

And that’s it.

[bjornad]

With Apache behind Varnish

Now, if you’re behind a reverse proxy like Varnish (like I am), things look a bit more complicated. Since all requests now look as they’re coming from your reverse proxy, the previous solution won’t work.

First, make sure your proxy is setting the X-FORWARDED-FOR header correctly. In Varnish you would have this in your vcl_recv block:

sub vcl_recv {

	[…]

	if (req.restarts == 0) {
		if (req.http.X-Forwarded-For) {
			set req.http.X-Forwarded-For = req.http.X-Forwarded-For + ", " + client.ip;
		} else {
			set req.http.X-Forwarded-For = client.ip;
		}
	}

	[…]
}

Now you can look for that header in your .htaccess file, like this:

<files wp-login.php>
  SetEnvIF X-FORWARDED-FOR "123.45.67.89" AllowIP
  order deny,allow
  deny from all
  Allow from env=AllowIP
</files>

And that’s it.

With Nginx

Update October 17, 2015: I’ve written a new post that not only is a huge improvement over the old method I described here, but also adds much more flexibility. Take a look at the post Restrict access to the WordPress dashboard by IP address in Nginx.

With Apache#

With Apache behind Varnish#

With Nginx#

With Apache

With Apache behind Varnish

With Nginx