IP protecting the WordPress wp-admin directory on an IIS Server

Martin OrtegaIncreased security is always a good idea, especially for important pages like your WordPress admin login. So this article will show you how to protect the wp-admin directory in a WordPress site hosted on an IIS Server. We’re going to do that by blocking access to the directory to everyone but yourself.

On our IIS servers we allow you to use the IP Address and Domain Restrictions module. In this tutorial you’re going to need to connect to your site via IIS Manager. See our Knowledge Base article: How to connect to your site via IIS Manager. (If you prefer a direct web.config file solution, skip to the end of this article for the necessary code.)

  1. Once connected to your site via IIS Manager, navigate to your wp-admin directory by double clicking on the folder within IIS Manager. It’s important that you’re in your wp-admin directory – if you create the following rule in the root of your WordPress site, you’ll end up blocking everyone from accessing your site.
  2. Next, double click on IP Address and Domain Restrictions icon

IP_Address_and_Domain_Restructions

  1. Under the Actions panel click on Edit Feature Settings…
  2. This will pop up the Edit IP and Domain Restrictions Settings Click on the drop down menu under Access for unspecified clients and select Deny. Leave Deny Action Type: as Forbidden. Click on OK button.

IP_Address_and_Domain_Restructions2

Now anyone from around the world will be blocked. This means you will be blocked too but that’s okay. The next steps creates a rule to only allow your IP address to access the wp-admin directory.

  1. Within the IP Address and Domain Restrictions module under Actions click on Add Allow Entry…
  2. Enter your IP address into the Specific IP address Click the OK box to save the IP.

IP_Address_and_Domain_Restructions3

Now we blocked everyone in the world but only allowed your IP address to access the wp-admin directory. This also means if your IP address changes you will need to update the rule to allow your new IP address. If you don’t know your outside IP address you can always Google What’s My IP. Google will tell you at the top of the search results. That’s the IP address you want to allow.

If you just want to cut to the chase, simply create a web.config file within the wp-admin directory and enter the following:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <security>
            <ipSecurity allowUnlisted="false">
                <add ipAddress="8.8.8.8" allowed="true" />
            </ipSecurity>
        </security>
    </system.webServer>
</configuration>

Of course you want to replace 8.8.8.8 with your real IP address.

4 thoughts on “IP protecting the WordPress wp-admin directory on an IIS Server

  1. Is there a way to whitelist access to wp-admin directory, but allow all ip’s to access ajax-admin.php.

    I can easily whitelist the wp-admin directory, but my api breaks because ajax-admin is in that directory.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.