Restricting WordPress Admin Access

Following up on Securing Administration of Shared Hosting, if you can restrict access to your administrative pages to a specific IP address or addresses.

This works best if you’re tunneling your traffic to your webserver though ssh, because your IP address may be changing, if you’re using hotspots or if your ISP changes your IP address. This is done though a simple update to the .htaccess file. Edit or create /wp-admin/.htaccess so it contains:
ErrorDocument 403
Order Allow,Deny
Allow from 208.113.186.

The first line changes the “Unauthorized” behavior to simply redirect to my homepage. Otherwise the webserver seems to try to serve the error page from /wp-admin/ and ends up in a redirect loop.

The second line makes the allow/deny decision to default to deny unless there is a specific allow directive (

The last line specifies the IP address or partial IP address to allow. I assume Dreamhost uses load balancing and/or virtual servers, so I didn’t want to restrict access to a single IP address, but figured the IP range would be restrictive enough.