Skip to main content
FyrePress Logo
Security March 28, 2026 · 8 min read

Lock Down wp-login.php with an IP Allowlist (WordPress Guide)

Brute-force attacks target wp-login.php every day. IP allowlisting is one of the fastest ways to block automated attacks while keeping admin access secure.

FP

FyrePress Team

WordPress Developer Tools

TL;DR

  • Restrict wp-login.php and /wp-admin/ to trusted IPs to stop brute-force traffic.
  • Use server-level rules (.htaccess or Nginx) for the strongest protection.
  • Maintain a safe allowlist for your team and update it when IPs change.

Why IP Allowlisting Works

Most WordPress attacks hit the same endpoints: /wp-login.php and /wp-admin/. If you restrict those URLs to your team’s IPs, automated bots never reach the login form.

This reduces attack surface immediately and cuts down server load from brute-force attempts.

When to Use IP Allowlisting

  • Small teams with stable office IPs.
  • Agencies managing client sites from known locations.
  • Sites targeted by repeated login attacks.

If your team travels often, combine allowlisting with a VPN or add a temporary IP range during travel.

Generate Safe Rules (Apache/Nginx)

Use the WP Login Guard tool to generate both Apache and Nginx rules. Paste your allowed IPs, pick your server type, and deploy safely.

If you also want to block XML-RPC, enable the XML-RPC option in the generator.

Common Mistakes

  • Locking yourself out by forgetting a secondary IP.
  • Applying rules only to wp-login.php but not /wp-admin/.
  • Forgetting that cloud or CDN IPs do not represent your real client IPs.

Always keep an emergency backdoor plan, like SFTP access or server console credentials.

WordPress-Specific Notes

If you use a page builder, WooCommerce, or REST integrations, make sure allowlisting doesn’t block required endpoints. The admin area is safe to lock down, but public APIs should remain accessible.

Pair allowlisting with Login URL Obfuscator for another layer of protection.

Frequently Asked Questions

Will this block my editors or contributors?

Only if their IPs are not on the allowlist. Add each team member’s IP or use a shared VPN IP.

What if my IP changes?

Update the allowlist immediately. For dynamic IPs, use a VPN with a stable exit IP.

Does this replace 2FA?

No. IP allowlisting reduces attack surface, but 2FA still adds strong account-level protection.

Should I block XML-RPC too?

If you do not need it, yes. It is a common brute-force target.

Key Takeaways

  • Allowlisting stops brute-force bots before they reach your login page.
  • Use server-level rules generated by WP Login Guard for safety.
  • Keep your allowlist updated as IPs change.
Tags: wp-login Security Allowlist WordPress

Generate secure login rules instantly

Use the WP Login Guard tool to build Apache or Nginx rules for IP allowlisting.

WP Login Guard Login URL Obfuscator .htaccess Generator