Restrict Access to a WordPress Site Based on IP

I recently developed an internal website for our company that wanted to be accessible to employees only. Instead of having a server level password, or individual WordPress logins, we decided to just limit access to by IP address. This way everyone on the office network could access easily, but outside the network they would get an access denied message.

We use WP Engine for hosting, but IP whitelisting or blocking should work with any host.

.htaccess Option

One quick method to set this up is by editing the .htaccess file directly (this should be in the base folder of your WordPress directory) and add the 3 lines at the top of this codeblock:

order deny,allow
deny from all
allow from 98.6.000.111
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
view raw .htaccess hosted with ❤ by GitHub

You’ll want to change the IP address in the example (98.6.000.111) to the IP you want to whitelist. You can also whitelist multiple IP addresses by just adding more below that line.

Plugin Option

An easier option (in my opinion) is to use the Restricted Site Access plugin, maintained by the folks at 10up. This plugin provides you with a dashboard to set up the IP restrictions, and also allows you to set a custom restriction messages or redirects.