Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. WordPress (Managed)
  3. Wordpress: restrict access by IP (wp-admin and wp-login.php)

Wordpress: restrict access by IP (wp-admin and wp-login.php)

Scheduled Pinned Locked Moved Unsolved WordPress (Managed)
wordpresscloudronhtaccesssecuritynginx
3 Posts 2 Posters 13.6k Views 2 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • ahkgA Offline
    ahkgA Offline
    ahkg
    wrote on last edited by
    #1

    Hi!

    I have installed Wordpress through the Cloudron App Store, and am trying to restrict access to wp-admin and wp-login.php, using the .htaccess file located at app/code/.htaccess

    I have tried by adding three different code snippets to my .htaccess-file, without luck (see below).

    I only achieve that wp-login.php is being blocked for all IP-addresses, and the IP address I try to whitelist gets the same error message as any other IP-address trying to access wp-login.php: Forbidden You don't have permission to access /wp-login.php on this server. Apache/2.4.18 (Ubuntu) Server at example.com Port 8000

    The code snippets I have tried without any luck, are:

    Alternative 1:

    <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
    RewriteCond %{REMOTE_ADDR} !^X.X.X.X$
    RewriteRule ^(.*)$ - [R=403,L]
    </IfModule>
    

    Alternative 2:

    # Block access to wp-admin.
    order deny,allow
    allow from X.X.X.X
    deny from all
    

    Alternative 3:

    # Block access to wp-admin.
    order deny,allow
    deny from all
    allow from X.X.X.X
    

    (X.X.X.X is where I write my IP address)

    Any suggestions on what I can do here?

    ahkgA 1 Reply Last reply
    0
    • ahkgA ahkg

      Hi!

      I have installed Wordpress through the Cloudron App Store, and am trying to restrict access to wp-admin and wp-login.php, using the .htaccess file located at app/code/.htaccess

      I have tried by adding three different code snippets to my .htaccess-file, without luck (see below).

      I only achieve that wp-login.php is being blocked for all IP-addresses, and the IP address I try to whitelist gets the same error message as any other IP-address trying to access wp-login.php: Forbidden You don't have permission to access /wp-login.php on this server. Apache/2.4.18 (Ubuntu) Server at example.com Port 8000

      The code snippets I have tried without any luck, are:

      Alternative 1:

      <IfModule mod_rewrite.c>
      RewriteEngine on
      RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
      RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
      RewriteCond %{REMOTE_ADDR} !^X.X.X.X$
      RewriteRule ^(.*)$ - [R=403,L]
      </IfModule>
      

      Alternative 2:

      # Block access to wp-admin.
      order deny,allow
      allow from X.X.X.X
      deny from all
      

      Alternative 3:

      # Block access to wp-admin.
      order deny,allow
      deny from all
      allow from X.X.X.X
      

      (X.X.X.X is where I write my IP address)

      Any suggestions on what I can do here?

      ahkgA Offline
      ahkgA Offline
      ahkg
      wrote on last edited by ahkg
      #2

      @ahkg
      I found some kind of solution (see below).

      But now I'm wondering if this might cause problems for Cloudron? In the logs, it seems that the Cloudron server have trouble getting access to the wp-login.php, with the check that runs every 10 seconds:
      2018-09-19T09:06:45.000Z [Wed Sep 19 09:06:45.296846 2018] [access_compat:error] [pid 207] [client 172.18.0.1:54684] AH01797: client denied by server configuration: /app/code/wp-login.php

      2018-09-19T09:06:45.000Z 172.18.0.1 - - [19/Sep/2018:09:06:45 +0000] "GET /wp-login.php HTTP/1.1" 403 476 "-" "Mozilla"

      I tried to add the local ip 172.18.0.1 to the whitelist in htaccess, but this only resulted in wp-login.php being available to all IP-addresses.

      ErrorDocument 401 default
      ErrorDocument 403 default
      
      SetEnvIf X-Forwarded-For "^1\.1\.*\.*" AllowIP
      
      <Files wp-login.php>
      Order deny,allow
      Deny from all
      Allow from env=AllowIP
      </Files>
      
      # Block access to wp-admin.
      <Files wp-admin/>
      Order deny,allow
      Deny from all
      Allow from env=AllowIP
      </Files>
      
      # Allow access to wp-admin/admin-ajax.php
      <Files wp-admin/admin-ajax.php>
          Order allow,deny
          Allow from all
          Satisfy any
      </Files>
      
      # BEGIN WordPress
      <IfModule mod_rewrite.c>
      RewriteEngine On
      RewriteBase /
      RewriteRule ^index\.php$ - [L]
      RewriteCond %{REQUEST_FILENAME} !-f
      RewriteCond %{REQUEST_FILENAME} !-d
      RewriteRule . /index.php [L]
      </IfModule>
      
      # END WordPress
      
      
      1 Reply Last reply
      0
      • nebulonN Offline
        nebulonN Offline
        nebulon
        Staff
        wrote on last edited by
        #3

        @ahkg the reason for whitelisting 172.18.0.1 give access to all requests, is that this is the ip of the Cloudron internal gateway into the subnet where all apps are running.

        Unfortunately for your case the cloudron healtcheck also comes via this gateway. I think your htaccess file needs to check for the X-Forwarded-For header to check against the correct inbound address.

        1 Reply Last reply
        0
        • JUVOJustinJ JUVOJustin referenced this topic on
        Reply
        • Reply as topic
        Log in to reply
        • Oldest to Newest
        • Newest to Oldest
        • Most Votes


        • Login

        • Don't have an account? Register

        • Login or register to search.
        • First post
          Last post
        0
        • Categories
        • Recent
        • Tags
        • Popular
        • Bookmarks
        • Search