Hello. What is the difference between limiting access to wp-admin vs limiting access to wp-login? And what implications do both of these options have for eCommerce sites?
Good question. If you are not logged in and you go to /wp-admin then you'll be redirected to the /wp-login page. However, if you are logged in (or someone hacks in) and they go to wp-admin, then they'll be redirected to your WP dashboard. The wp-login page remains the login page whether your logged in or not. For eCommerce sites, customers usually only have access to their account pages on the front end. They have no need to go into the WP dashboard. The only people who need access to the WP dashboard are you and people who work for you on the site. So blocking all other IP addresses is a good security practice. I hope that helps, let me know if you have any further questions. Thanks for watching!
@@wplearninglab Thanks for the reply! I have been researching this for a week, and surprised this isn't explained very clearly anywhere. So, to clarify, if I have an eCommerce site, blocking all other IP addresses to the wp-admin won't affect my customers? Is this correct (because this is contrary to some of what I've read, but it was ambiguous about admin vs login)? And customers will still be able to login to front-end at /wp-login.php? Also, what if I rename the login page for extra security? They can still register/subscribe no problem? Thanks again for the LearningLab!
Thank you for the informative video. If I follow what you did with the .htaccess file (and put it into the WP-ADMIN folder), will it be enough to stop hackers from hacking my website?
Hi ..thanks for this information I have another problem I can't do any thing in my dashboard forbidden 403 You don't have permission to access this resource.
Hi thanks for your helpfull contents. I have an online training site where instructors can register and teach. If a user submits a comment, I don't want the article notification email sent to the instructors. That is, only the administrator can see and validate or refuse. Do you know how to fix it ?
Hello. Please help me understand. I want Administrators, Editors, and Authors to have the ability to access the dashboard; while also allowing Customers to login or register to my front end. This arrangement seems like what most WordPress Administrators would want. But what I don't understand is why any other user-role (ie: Subscriber) would need access to the dashboard. Furthermore, from my understanding, doesn't limiting access to the dashboard (like this video shows with IPs) prevent e-Commerce sites from working because Customers won't be able to login unless their IP is whitelisted?? Or have I misunderstood? This seems incredibly strange to me because - how many websites want Subscribers to have access to the dashboard (very few) vs how many e-Commerce sites need to have Customers able to subscribe (nearly all)? It seems to me that the default should be preventing Subscribers from accessing the dashboard, rather than default allowing them access. Please explain. Thanks for your great work! (ps - I'd rather not install another plugin for this purpose).
Hi there, I'm just putting together a WP site on a local server, using Instant Wordpress. I'm adding security before I upload the files to a remote server but every time I try to use this method, I'm Forbidden? Can I develop these types of security measures using a local server? I'm having the same issues when I modify the config file? Any advice is appreciated in advance, as I have limited knowledge in using WP! Cheers Rich
Hi WP learning, there is a big flaw in this system. it does not login, but when you go back to the homepage of the website, it shows you the homepage but as a logged in user. How can we fix this? It happens with WPS hide login. The other issue is that you can still login through /wp-login.php. Through wp-login.php, it will deny it access, but if you visit the home page after you try /wp-login.php, it will come back as a logged in user. Is there a solution to this?
+GManGT That's correct. However, your ISP likely assigns a dynamic IP inside of a range of IPs. So you could limit access to that range of IPs. Which isn't the best-case scenario, but it could still be useful.
Man please help. On my ip i have access denied when i try to login, from any other ip i can access my login page except my home ip, i tried this method with deny and allow from my ip on .htaccess but it does not work, only if i change my ip adress that is when i can access wp-login.php page. Sorry for bad english is not my first language.
For some reason my IP address changes for every browser from the same location? Is that normal? Every browser gives me a new IP? Any suggestions? Is there a way to block login based on the Country name or Country IP?
Hi I know this is not related but I was in my wordpress and saw the force http and once I activated it my wordpress temporarly shut down, you know the error message that you get when google tells you that is site is temporarily down what do I do
Hi Elle, That doesn't sound like a fun experience. The first thing I would try is moving the login page. If they can't find the login page, then they can't login. Check out this tutorial: ua-cam.com/video/p7qxSptZif0/v-deo.html Blocking their IP may work, but if they're crafty they'll just try from other IPs. I hope that helps. Let me know how it goes!
@@wplearninglab I followed your other tutorial (great tip by the way), but it has not worked. I have blocked wp-admin and wp-login.php, and they are still attempting to login about three times an hour. I don't have a clue how they are able to do it. I have set up a limit login attempt, they are bouncing their IP around using a VPN. I have put a captcha at the login page as well, but even if the bot doesn't complete the captcha it still registers as a failed login. These people are crafty and I have no idea what next step to take. Thank you for your tutorials though, they have gotten me this far.
Yes, it should. The IP block prevent access to the admin pages, no matter where the login page is located. I hope that helps and thanks for watching! Let me know if you have any further questions :)
Stephen Good Hi Stephen. If I understand correctly you want to have the homepage accessible to everyone and other pages on your website accessible only to certain IP addresses? Is that correct? If so, there might be easier options that .htaccess tweaks.
WP Learning Lab Yes you are correct. I wanted to have the homepage accessible to everyone and the other pages on your website accessible only to certain IP addresses
Yes you are correct. I wanted to have the homepage accessible to everyone and the other pages on your website accessible only to certain IP addresses
EXCELLENT, SIMPLE & EFFECTIVE - This is a great video & you're the only one who's nailed it with pure simple logic.
Thanks!
+xINFINITELOOPx That's what I like to hear! Thanks for the great feedback and thanks for watching!
You can still have access through wp-login.php. It doesnt completely work
Hello. What is the difference between limiting access to wp-admin vs limiting access to wp-login? And what implications do both of these options have for eCommerce sites?
Good question. If you are not logged in and you go to /wp-admin then you'll be redirected to the /wp-login page. However, if you are logged in (or someone hacks in) and they go to wp-admin, then they'll be redirected to your WP dashboard. The wp-login page remains the login page whether your logged in or not.
For eCommerce sites, customers usually only have access to their account pages on the front end. They have no need to go into the WP dashboard. The only people who need access to the WP dashboard are you and people who work for you on the site.
So blocking all other IP addresses is a good security practice.
I hope that helps, let me know if you have any further questions. Thanks for watching!
@@wplearninglab Thanks for the reply! I have been researching this for a week, and surprised this isn't explained very clearly anywhere.
So, to clarify, if I have an eCommerce site, blocking all other IP addresses to the wp-admin won't affect my customers? Is this correct (because this is contrary to some of what I've read, but it was ambiguous about admin vs login)? And customers will still be able to login to front-end at /wp-login.php? Also, what if I rename the login page for extra security? They can still register/subscribe no problem? Thanks again for the LearningLab!
Thank you for the informative video. If I follow what you did with the .htaccess file (and put it into the WP-ADMIN folder), will it be enough to stop hackers from hacking my website?
sir you are very helpful!
Hi ..thanks for this information
I have another problem I can't do any thing in my dashboard forbidden 403
You don't have permission to access this resource.
thank you very mush
You’re welcome, thanks for watching!
doesnt the ip change when you reboot your static pc and reconnect again to the internet?
Thank you.
You're welcome Gary, thanks for watching!
dude, THANKS!!
You’re welcome, thanks for watching!
Hi thanks for your helpfull contents. I have an online training site where instructors can register and teach. If a user submits a comment, I don't want the article notification email sent to the instructors. That is, only the administrator can see and validate or refuse. Do you know how to fix it ?
Instead of a single IP, is there a way of adding Geo Location so access will only be permitted from UK for instance and no other country besides UK?
Hello. Please help me understand. I want Administrators, Editors, and Authors to have the ability to access the dashboard; while also allowing Customers to login or register to my front end. This arrangement seems like what most WordPress Administrators would want. But what I don't understand is why any other user-role (ie: Subscriber) would need access to the dashboard.
Furthermore, from my understanding, doesn't limiting access to the dashboard (like this video shows with IPs) prevent e-Commerce sites from working because Customers won't be able to login unless their IP is whitelisted?? Or have I misunderstood?
This seems incredibly strange to me because - how many websites want Subscribers to have access to the dashboard (very few) vs how many e-Commerce sites need to have Customers able to subscribe (nearly all)?
It seems to me that the default should be preventing Subscribers from accessing the dashboard, rather than default allowing them access. Please explain. Thanks for your great work! (ps - I'd rather not install another plugin for this purpose).
Hi there, I'm just putting together a WP site on a local server, using Instant Wordpress. I'm adding security before I upload the files to a remote server but every time I try to use this method, I'm Forbidden? Can I develop these types of security measures using a local server? I'm having the same issues when I modify the config file? Any advice is appreciated in advance, as I have limited knowledge in using WP!
Cheers
Rich
Thank you !
You're welcome Noisabe. I'm glad I could help and thanks for watching!
Hi WP learning, there is a big flaw in this system. it does not login, but when you go back to the homepage of the website, it shows you the homepage but as a logged in user. How can we fix this? It happens with WPS hide login. The other issue is that you can still login through /wp-login.php. Through wp-login.php, it will deny it access, but if you visit the home page after you try /wp-login.php, it will come back as a logged in user. Is there a solution to this?
Hi, where can i find the code mentioned that is below the video? thank you
I am adding my correct ip adress but still its not allowing me to access my admin.. Can anybody please help
If your internet provider is assigning you a dynamic IP address every time you login, this would not work for you, correct?
+GManGT That's correct. However, your ISP likely assigns a dynamic IP inside of a range of IPs. So you could limit access to that range of IPs. Which isn't the best-case scenario, but it could still be useful.
Man please help. On my ip i have access denied when i try to login, from any other ip i can access my login page except my home ip, i tried this method with deny and allow from my ip on .htaccess but it does not work, only if i change my ip adress that is when i can access wp-login.php page. Sorry for bad english is not my first language.
For some reason my IP address changes for every browser from the same location? Is that normal? Every browser gives me a new IP? Any suggestions? Is there a way to block login based on the Country name or Country IP?
Hi I know this is not related but I was in my wordpress and saw the force http and once I activated it my wordpress temporarly shut down, you know the error message that you get when google tells you that is site is temporarily down what do I do
Hi Marcelino,
When you de-activate it does the site come back up? Did the Google error message mention anything about a "loop"?
what if you need to allow 2 seperate IP addresses?
How to allow Itheme security plugin to access wp-admin
Could you please do a video on How to block libwww-perl
Thanks for the suggestion. I've put it on my list!
I dont know why this isn't working for me
Hi Endri,
Have you confirmed it's not working by blocking your own IP and seeing if you're locked out?
what about wp-login.php? An ex web development company are terrorising my client, they are using this page to try and login.
Hi Elle,
That doesn't sound like a fun experience. The first thing I would try is moving the login page. If they can't find the login page, then they can't login. Check out this tutorial: ua-cam.com/video/p7qxSptZif0/v-deo.html
Blocking their IP may work, but if they're crafty they'll just try from other IPs.
I hope that helps. Let me know how it goes!
@@wplearninglab I followed your other tutorial (great tip by the way), but it has not worked. I have blocked wp-admin and wp-login.php, and they are still attempting to login about three times an hour. I don't have a clue how they are able to do it. I have set up a limit login attempt, they are bouncing their IP around using a VPN. I have put a captcha at the login page as well, but even if the bot doesn't complete the captcha it still registers as a failed login. These people are crafty and I have no idea what next step to take. Thank you for your tutorials though, they have gotten me this far.
Will this method work with WPS Hide Login?
Yes, it should. The IP block prevent access to the admin pages, no matter where the login page is located.
I hope that helps and thanks for watching! Let me know if you have any further questions :)
@@wplearninglab Hi WP learning, it did not work for me. im on digitalocean on a ubuntu server. Any idea why this didn't work for me?
Can you use this for certain pages leaving the home page accessible to everyone?
Stephen Good Hi Stephen. If I understand correctly you want to have the homepage accessible to everyone and other pages on your website accessible only to certain IP addresses? Is that correct? If so, there might be easier options that .htaccess tweaks.
WP Learning Lab Yes you are correct. I wanted to have the homepage accessible to everyone and the other pages on your website accessible only to certain IP addresses
Is there a way to restrict WP Admin access based on location?
That's exactly what he just explained !!