How to Restrict Admin Area Access by IP

Page Protection restricts access to specific URLs based on IP addresses. This guide covers protecting admin areas, sensitive pages, and private content.

Understanding Page Protection

Page Protection implements IP-based access control:

  • Protected Paths: URLs requiring authorization
  • Whitelist: Allowed IP addresses
  • Response: Block method for unauthorized IPs (403, 404, drop)

Only whitelisted IPs can access protected paths. All other IPs receive the configured block response.

Protecting WordPress Admin

Basic WordPress Admin Protection

Restrict wp-admin access to authorized IPs:

Configuration:

Page Protection: Enabled

Protected Paths:
  /wp-admin/
  /wp-login.php

Whitelist:
  203.0.113.10  (Office network)
  198.51.100.25 (Admin home)
  192.0.2.50    (Remote worker)

Response: 404 Not Found

Why 404: Makes admin area appear non-existent to attackers, reducing information disclosure.

Testing Protection

From whitelisted IP:

curl -I https://example.com/wp-admin/

Expected: 200 OK or 302 redirect to login

From non-whitelisted IP:

curl -I https://example.com/wp-admin/

Expected: 404 Not Found

WordPress-Specific Considerations

WordPress admin uses multiple endpoints:

Required Protected Paths:

/wp-admin/          (main admin area)
/wp-login.php       (login page)
/wp-admin/admin-ajax.php  (AJAX operations)
/wp-cron.php        (scheduled tasks - see note below)

Warning: Protecting /wp-cron.php may break scheduled tasks if cron is triggered by visitors. Use server-side cron instead:

# Disable WP-Cron in wp-config.php
define('DISABLE_WP_CRON', true);

# Add to server crontab
*/15 * * * * curl https://example.com/wp-cron.php?doing_wp_cron >/dev/null 2>&1

Protecting Custom Admin Panels

Generic Admin Protection

For custom applications:

Configuration:

Protected Paths:
  /admin/
  /administrator/
  /manager/
  /backend/

Whitelist:
  [admin-ips]

Response: 403 Forbidden

Why 403: Custom applications often have specific error handling for 403 vs 404.

Path Pattern Matching

Protected paths match prefixes:

  • /admin/ matches /admin/dashboard/admin/users/admin/settings/advanced, etc.
  • /api/admin/ matches /api/admin/users but NOT /api/public/users

Be specific with paths to avoid blocking unintended areas.

Managing Whitelists

Finding Your IP Address

Determine your current IP:

curl https://ifconfig.me

or visit https://whatismyip.com

Important: Use this exact IP in whitelist configuration.

Static vs Dynamic IPs

Static IP (business/office): – IP doesn’t change – Reliable for whitelist – Preferred for admin access

Dynamic IP (home/mobile): – IP changes periodically (daily, weekly, monthly) – Requires whitelist updates – Consider VPN for stable IP

Office Network Configuration

Single Static IP:

Whitelist:
  203.0.113.10  (Office)

Multiple Locations:

Whitelist:
  203.0.113.10  (Main office)
  198.51.100.20 (Branch office)
  192.0.2.30    (Remote office)

IP Range (if needed):

Whitelist:
  203.0.113.10
  203.0.113.11
  203.0.113.12
  203.0.113.13
  203.0.113.14

Note: Add each IP individually. CIDR notation support varies.

VPN Configuration

Use VPN for consistent IP addressing:

VPN Exit IP:

Whitelist:
  198.51.100.50  (VPN exit node)

Benefit: All team members use same IP when connected to VPN, simplifying whitelist management.

VPN Setup: 1. Deploy VPN server (WireGuard, OpenVPN) 2. Configure team members to use VPN 3. Whitelist VPN exit IP 4. Require VPN for admin access

Mobile Access

Options for mobile admin access:

Option 1: Mobile Carrier IP (not recommended) – Mobile IPs change frequently – Unreliable whitelist

Option 2: VPN (recommended) – Team uses VPN on mobile devices – Consistent IP addressing – Secure connection

Option 3: Temporary Access (for emergencies) – Add mobile IP temporarily – Complete emergency task – Remove IP after use

Advanced Configurations

Multiple Admin Roles

Different protection levels for different roles:

Super Admin (highly restricted):

Protected Paths: /wp-admin/users.php, /wp-admin/tools.php
Whitelist: [owner-ip-only]
Response: 404

Regular Admin (less restricted):

Protected Paths: /wp-admin/
Whitelist: [all-admin-ips]
Response: 403

Implement by using different sites or path-specific rules.

Emergency Access

Plan for emergencies when whitelist IPs unavailable:

Emergency Bypass Procedure: 1. Temporarily disable Page Protection 2. Complete emergency task 3. Re-enable Page Protection immediately 4. Review logs for any suspicious access during window

Alternative: Configure emergency access IP (data center, cloud server with static IP).

API Admin Endpoints

Separate protection for API administration:

Configuration:

Protected Paths: /api/admin/
Whitelist: [application-server-ips]
Response: 403

Use Case: Application servers need admin API access, but not full admin panel.

Common Scenarios

Remote Team

Distributed team with dynamic IPs:

Solution 1: Team VPN

Whitelist: [vpn-exit-ip]

Entire team uses company VPN for admin access.

Solution 2: Multiple IPs

Whitelist:
  [team-member-1-home-ip]
  [team-member-2-home-ip]
  [team-member-3-home-ip]
  [office-ip]

Update when team members’ IPs change.

Solution 3: Bastion Host

Whitelist: [bastion-host-ip]

Team SSHs to bastion host, then accesses admin area from there.

Contractor Access

Temporary contractor needs admin access:

Grant Access: 1. Get contractor’s IP address 2. Add to whitelist with notation 3. Document access grant date

Whitelist:
  203.0.113.10  (Office)
  198.51.100.25 (Admin)
  192.0.2.99    (Contractor - expires 2024-06-30)

Revoke Access: 1. Remove contractor IP from whitelist 2. Save configuration 3. Verify contractor can no longer access

Automated Systems

Backend systems need admin access:

Configuration:

Protected Paths: /admin/api/
Whitelist:
  10.0.1.50  (Application server)
  10.0.1.51  (Backup server)
  10.0.1.52  (Monitoring system)
Response: 403

Best Practice: Use private network IPs if systems are on same network. Use public IPs if accessing over internet.

Multi-Site Installations

WordPress multisite with network admin:

Network Admin:

Protected Paths: /wp-admin/network/
Whitelist: [super-admin-ips-only]
Response: 404

Site Admin:

Protected Paths: /wp-admin/
Whitelist: [all-admin-ips]
Response: 403

Protects network-level administration more strictly than site-level.

Protecting Other Sensitive Areas

Development/Staging Environments

Restrict access to non-production environments:

Configuration:

Protected Paths: /
Whitelist:
  [office-ips]
  [developer-ips]
  [qa-team-ips]
Response: 404

Entire staging site protected, only accessible to team.

Private Documentation

Internal documentation or resources:

Configuration:

Protected Paths: /internal-docs/
Whitelist: [employee-ips]
Response: 404

File Management

Protect file upload/management areas:

Configuration:

Protected Paths: /wp-admin/upload.php, /filemanager/
Whitelist: [authorized-ips]
Response: 403

Database Management

Protect phpMyAdmin or database tools:

Configuration:

Protected Paths: /phpmyadmin/, /adminer/
Whitelist: [dba-ips-only]
Response: 404

Better: Don’t expose database management tools publicly. Use SSH tunnel instead.

Monitoring and Maintenance

Review Access Logs

Check for unauthorized access attempts:

Dashboard Logs: – Filter by URI: /wp-admin/ – Look for 403/404 responses – Note attacking IPs and patterns

Common Attack Patterns:

198.51.100.123 - 45 blocked attempts to /wp-admin/
192.0.2.200    - 32 blocked attempts to /wp-login.php
203.0.113.50   - 28 blocked attempts to /administrator/

Update Whitelist

Regular whitelist maintenance:

Monthly Review: – Remove IPs for departed employees – Update changed dynamic IPs – Add new team members – Verify all entries are still needed

Documentation:

203.0.113.10  - Main office (static)
198.51.100.25 - John Smith home (updated 2024-01-15)
192.0.2.30    - VPN exit node
192.0.2.99    - Removed 2024-01-20 (contractor ended)

Audit Access

Periodically audit who has access:

  1. Review current whitelist
  2. Verify each IP is still needed
  3. Check for IP changes
  4. Remove unnecessary entries
  5. Document audit completion

Troubleshooting

Can’t Access Admin Area

Symptom: Admin user receives 403 or 404 when accessing admin area.

Diagnosis:

# Check your IP
curl https://ifconfig.me
# Output: 198.51.100.25

# Compare with whitelist
# If not in whitelist, that's the issue

Solution: 1. Get current IP address 2. Add to whitelist 3. Save configuration 4. Test access again

IP Changed

Symptom: Admin access worked yesterday, blocked today.

Cause: Dynamic IP changed overnight.

Immediate Solution: 1. Determine new IP 2. Update whitelist 3. Remove old IP if no longer used

Long-term Solution: – Use VPN for stable IP – Upgrade to static IP from ISP – Use mobile hotspot as backup

Whitelist Not Working

Symptom: IP is whitelisted but still blocked.

Diagnosis: 1. Verify exact IP in whitelist matches current IP 2. Check for typos in IP address 3. Verify protected paths include requested URL 4. Check configuration is saved and deployed

Common Issues: – IPv4 vs IPv6 mismatch – Trailing slash in path (/admin/ vs /admin) – Configuration not saved – Deployment not complete

Multiple People, One IP

Symptom: Office shares one IP, but only one person can work.

Cause: This is not an actual issue – IP whitelisting allows unlimited users from the same IP.

If Still Having Issues: – Check for rate limiting conflicts – Verify path protection is correct – Test from different devices on same network

Mobile Access Issues

Symptom: Mobile device can’t access admin, even though IP is whitelisted.

Diagnosis:

# From mobile device
curl https://ifconfig.me

Common Causes: – Mobile carrier uses different IP than expected – Mobile data vs WiFi use different IPs – Mobile carrier uses IPv6, whitelist has IPv4

Solution: – Use VPN on mobile device – Whitelist both mobile IPs (data and WiFi) – Consider IPv6 if carrier uses it

Best Practices

Principle of Least Privilege: Only whitelist IPs that truly need access.

Document Everything: Note what each whitelisted IP is for.

Regular Reviews: Monthly review and cleanup of whitelist.

Use VPN: Provides consistent IP and encrypted connection.

Plan for Emergencies: Have procedure for access when regular methods unavailable.

Monitor Logs: Watch for unauthorized access attempts.

Layer Security: Combine with rate limiting, strong passwords, 2FA.

Test Changes: Verify access works after whitelist updates.

Backup Access: Maintain emergency access method (server console, SSH tunnel).

Communicate Changes: Notify team before making whitelist changes.

Page Protection provides strong access control when properly configured and maintained. Regular reviews and updates ensure authorized users maintain access while attackers are blocked.