WordPress IIS restrict access by IP address

One way to secure WordPress running on Windows IIS is to restrict access to both the wp-admin directory and also the wp-login.php file by IP address. To do this on Linux it’s as easy as placing a .htaccess file in the directory you wish to secure. With IIS though it’s a little different, the guide below will run through how you can secure your WordPress via the IP Address and Domain Restrictions tool in IIS Manager.

Before getting started you will need the following…

• A WordPress install
• IIS7
• Web Platform Installer (link)

Start by opening your IIS Manager. (Start > Run > inetmgr) Under Sites select your website. If you don’t see the IP Address and Domain Restrictions icon then you will need to install it. If you can see it you can skip ahead.

To install the IP Address and Domain Restrictions feature, double click on the Web Platform Installer icon. If this icon isn’t there either then you will need to install the Web Platform Installer from Microsoft. You can download it here.

Inside the Web Platform Installer, search for IP Address and Domain Restrictions and install it. (It may be called IIS: IP and Domain Restrictions)

Once installed, you will want to select your website on the left hand side under Sites, and then expand it and select your wp-admin directory. Once selected double click on IP Address and Domain Restrictions.

First up you will want to set the Feature Settings (right hand side menu) to deny. This will deny all access to our selected wp-admin directory. We then want to setup our whitelist of IP Addresses. If you wish to use domains in your allow list then you will need to enable it in the Feature Settings window.

To start adding the IP addresses or domains you wish to allow, click on the Add Allow Entry… link on the right hand side. You can add a single IP Address, an IP Address Range or a domain name (if the domain option isn’t there or disabled go back to Feature Settings and enable domains.

Once you’re finished with wp-admin, you might also wish to do the same with wp-login.php. If you can’t see the wp-login.php file on the left hand side under your site, click on the Content View button. Find wp-login.php and then click the Switch to Feature View… option on the right hand side. From there you will see wp-login.php is selected and you can open the IP Address and Domain Restrictions feature.

All done! You should now see a 403 Access Denied error when trying to access the restricted content from an unlisted IP.