# When a user is actively brute forced, can restrict access to the wp admin from .htaccess Whitelist IP admin
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin/?$
RewriteCond %{REMOTE_ADDR} !^38\.49\.92\.209$
RewriteRule ^(.*)$ - [R=403,L]



#wp-login.php restriction - Put into public_html/.htaccess

<Files "wp-login.php">
Order deny,allow
deny from all
allow from 38.49.92.0/24
</Files>



#wp-admin restriction - Put into public_html/wp-admin/.htaccess

Order deny,allow
deny from all
allow from 38.49.92.0/24