If you are on Hostinger, you have access to a special server feature called GeoIP that makes this much cleaner than on other hosts.
Here are the three best ways to do it, ranked from best to easiest.
Method 1: Using Hostinger’s Native GeoIP (Recommended)
Hostinger has a built-in module that can detect countries. This allows you to block access to the admin page using a simple code snippet in your .htaccess file, rather than pasting thousands of IP addresses.
This method protects specifically the login page (wp-login.php), not your whole site.
- Open Hostinger hPanel → Websites → Manage.
- Go to File Manager and open the
public_htmlfolder. - Right-click the
.htaccessfile and select Edit. - Add this code at the top of the file:
Apache
<IfModule mod_geoip.c>
GeoIPEnable On
RewriteEngine On
# Allow only these countries (Use 2-letter codes: US, GB, IN, etc.)
# Change "US|GB" to your own country codes.
RewriteCond %{ENV:GEOIP_COUNTRY_CODE} !^(US|GB)$
# Block access to wp-login.php and xmlrpc.php for everyone else
RewriteRule (wp-login|xmlrpc)\.php$ - [F,L]
</IfModule>
- How it works: This code says “If the visitor is NOT (!) from the US or Great Britain (GB), block the login page.”
- Note: You can find your 2-letter country code here.
Method 2: Using Cloudflare (Best Performance)
If you have connected your Hostinger site to Cloudflare (which is free and recommended), you can use their firewall to block countries before they even reach your Hostinger server.
- Log in to your Cloudflare Dashboard.
- Go to Security → WAF (Web Application Firewall).
- Click Create Rule.
- Set it up like this:
- Field: Country
- Operator: equals
- Value: (Select the countries you want to block, e.g., Russia, China, etc.)
- AND (Click the “And” button to add a second condition)
- Field: URI Path
- Operator: contains
- Value:
/wp-admin
- Action: Block.
- Click Deploy.
Method 3: Using a Plugin (Easiest / No Code)
If you prefer a visual interface inside WordPress:
- Install the Wordfence Security plugin.
- Go to Wordfence → Firewall → Blocking.
- Select Country Blocking (Note: This is often a Premium feature in Wordfence).
- Free Alternative: Install the “iQ Block Country” plugin. It allows you to block access to the backend (admin) specifically for certain countries.
⚠️ Important Warning
If you travel to a blocked country (e.g., on vacation) or use a VPN that routes through a blocked country, you will lock yourself out.
Here is the list of common 2-letter country codes you might need, along with the specific code snippet to use in your .htaccess file.
1. Common Country Codes List
| Region | Country | Code |
| Vietnam & SEA | Vietnam | VN |
| Singapore | SG | |
| Thailand | TH | |
| Philippines | PH | |
| Asia | Japan | JP |
| South Korea | KR | |
| China | CN | |
| Taiwan | TW | |
| Western | United States | US |
| United Kingdom | GB | |
| Australia | AU | |
| Canada | CA | |
| France | FR | |
| Germany | DE |
Note: The code for the United Kingdom is GB, not UK.
2. How to write the code in .htaccess
In the code snippet from Method 1 (using Hostinger GeoIP), you will edit the RewriteCond line.
The rule is to use the vertical bar symbol | to separate the country codes. This symbol means “OR”.
Example: If you want to allow access from Vietnam, USA, Singapore, and Japan, you would write:
Apache
RewriteCond %{ENV:GEOIP_COUNTRY_CODE} !^(VN|US|SG|JP)$
Complete Code (Copy & Paste)
Here is the complete code to paste at the top of your .htaccess file inside the public_html folder. (I have included VN, US, SG, and JP as an example).
Apache
<IfModule mod_geoip.c>
GeoIPEnable On
RewriteEngine On
# Allow only VN, US, Singapore, Japan to access admin
# Add or remove country codes below, separated by |
RewriteCond %{ENV:GEOIP_COUNTRY_CODE} !^(VN|US|SG|JP)$
# Block access to wp-login.php and xmlrpc.php for everyone else
RewriteRule (wp-login|xmlrpc)\.php$ - [F,L]
</IfModule>