Lock down admin areas to specific IP addresses only.
WordPress Admin
Create /wp-admin/.htaccess:
order deny,allow deny from all allow from 192.168.1.100
Multiple IPs
order deny,allow deny from all allow from 192.168.1.100 allow from 203.0.113.50 allow from 10.0.0.0/24
Other Admin Areas
phpMyAdmin:
# In /phpmyadmin/.htaccess order deny,allow deny from all allow from 192.168.1.100
cPanel/DirectAdmin login:
# In /.htaccess (root) <Files "index.php"> order deny,allow deny from all allow from 192.168.1.100
Dynamic IP Solution
For changing IPs, use basic auth instead:
AuthType Basic AuthName "Admin Access" AuthUserFile /home/user/.htpasswd Require valid-user
Generate password file:
htpasswd -c /home/user/.htpasswd adminuser
Combined IP + Password
Maximum security - require both IP match AND password:
order deny,allow deny from all allow from 192.168.1.100 AuthType Basic AuthName "Admin Access" AuthUserFile /home/user/.htpasswd Require valid-user
Testing
# From allowed IP (should work) curl -I https://example.com/wp-admin/ # From other IP (should return 403) curl -I https://example.com/wp-admin/
Common Issues
- Still accessible: Check if .htaccess is being read (AllowOverride All)
- Locked out: Use hosting control panel file manager to delete .htaccess
- Wrong IP: Find your IP with
curl ifconfig.me - Cloudflare: Use
X-Forwarded-Foror disable proxy for admin
Apache 2.4 Syntax
Modern Apache requires different syntax:
Require ip 192.168.1.100 Require ip 203.0.113.50
Important
- Always test from another IP/device
- Keep a backup admin access method
- Update IPs when your connection changes
- Consider VPN for stable IP
