Increased security is always a good idea, especially for important pages like your WordPress admin login. So this article will show you how to protect the wp-admin directory in a WordPress site hosted on an IIS Server. We’re going to do that by blocking access to the directory to everyone but yourself.
On our IIS servers we allow you to use the IP Address and Domain Restrictions module. In this tutorial you’re going to need to connect to your site via IIS Manager. See our Knowledge Base article: How to connect to your site via IIS Manager. (If you prefer a direct web.config file solution, skip to the end of this article for the necessary code.)
- Once connected to your site via IIS Manager, navigate to your wp-admin directory by double clicking on the folder within IIS Manager. It’s important that you’re in your wp-admin directory – if you create the following rule in the root of your WordPress site, you’ll end up blocking everyone from accessing your site.
- Next, double click on IP Address and Domain Restrictions icon
- Under the Actions panel click on Edit Feature Settings…
- This will pop up the Edit IP and Domain Restrictions Settings Click on the drop down menu under Access for unspecified clients and select Deny. Leave Deny Action Type: as Forbidden. Click on OK button.
Now anyone from around the world will be blocked. This means you will be blocked too but that’s okay. The next steps creates a rule to only allow your IP address to access the wp-admin directory.
- Within the IP Address and Domain Restrictions module under Actions click on Add Allow Entry…
- Enter your IP address into the Specific IP address Click the OK box to save the IP.
Now we blocked everyone in the world but only allowed your IP address to access the wp-admin directory. This also means if your IP address changes you will need to update the rule to allow your new IP address. If you don’t know your outside IP address you can always Google What’s My IP. Google will tell you at the top of the search results. That’s the IP address you want to allow.
If you just want to cut to the chase, simply create a web.config file within the wp-admin directory and enter the following:
<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <security> <ipSecurity allowUnlisted="false"> <add ipAddress="184.108.40.206" allowed="true" /> </ipSecurity> </security> </system.webServer> </configuration>
Of course you want to replace 220.127.116.11 with your real IP address.