Wordpress: restrict access by IP (wp-admin and wp-login.php)



  • Hi!

    I have installed Wordpress through the Cloudron App Store, and am trying to restrict access to wp-admin and wp-login.php, using the .htaccess file located at app/code/.htaccess

    I have tried by adding three different code snippets to my .htaccess-file, without luck (see below).

    I only achieve that wp-login.php is being blocked for all IP-addresses, and the IP address I try to whitelist gets the same error message as any other IP-address trying to access wp-login.php: Forbidden You don't have permission to access /wp-login.php on this server. Apache/2.4.18 (Ubuntu) Server at example.com Port 8000

    The code snippets I have tried without any luck, are:

    Alternative 1:

    <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
    RewriteCond %{REMOTE_ADDR} !^X.X.X.X$
    RewriteRule ^(.*)$ - [R=403,L]
    </IfModule>
    

    Alternative 2:

    # Block access to wp-admin.
    order deny,allow
    allow from X.X.X.X
    deny from all
    

    Alternative 3:

    # Block access to wp-admin.
    order deny,allow
    deny from all
    allow from X.X.X.X
    

    (X.X.X.X is where I write my IP address)

    Any suggestions on what I can do here?



  • @ahkg
    I found some kind of solution (see below).

    But now I'm wondering if this might cause problems for Cloudron? In the logs, it seems that the Cloudron server have trouble getting access to the wp-login.php, with the check that runs every 10 seconds:
    2018-09-19T09:06:45.000Z [Wed Sep 19 09:06:45.296846 2018] [access_compat:error] [pid 207] [client 172.18.0.1:54684] AH01797: client denied by server configuration: /app/code/wp-login.php

    2018-09-19T09:06:45.000Z 172.18.0.1 - - [19/Sep/2018:09:06:45 +0000] "GET /wp-login.php HTTP/1.1" 403 476 "-" "Mozilla"

    I tried to add the local ip 172.18.0.1 to the whitelist in htaccess, but this only resulted in wp-login.php being available to all IP-addresses.

    ErrorDocument 401 default
    ErrorDocument 403 default
    
    SetEnvIf X-Forwarded-For "^1\.1\.*\.*" AllowIP
    
    <Files wp-login.php>
    Order deny,allow
    Deny from all
    Allow from env=AllowIP
    </Files>
    
    # Block access to wp-admin.
    <Files wp-admin/>
    Order deny,allow
    Deny from all
    Allow from env=AllowIP
    </Files>
    
    # Allow access to wp-admin/admin-ajax.php
    <Files wp-admin/admin-ajax.php>
        Order allow,deny
        Allow from all
        Satisfy any
    </Files>
    
    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>
    
    # END WordPress