Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse

Cloudron Forum

Apps | Demo | Docs | Install

Wordpress: restrict access by IP (wp-admin and wp-login.php)

Scheduled Pinned Locked Moved Unsolved WordPress (Managed)
wordpresscloudronhtaccesssecuritynginx
3 Posts 2 Posters 4.8k Views
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • ahkgA Offline
    ahkgA Offline
    ahkg
    wrote on last edited by
    #1

    Hi!

    I have installed Wordpress through the Cloudron App Store, and am trying to restrict access to wp-admin and wp-login.php, using the .htaccess file located at app/code/.htaccess

    I have tried by adding three different code snippets to my .htaccess-file, without luck (see below).

    I only achieve that wp-login.php is being blocked for all IP-addresses, and the IP address I try to whitelist gets the same error message as any other IP-address trying to access wp-login.php: Forbidden You don't have permission to access /wp-login.php on this server. Apache/2.4.18 (Ubuntu) Server at example.com Port 8000

    The code snippets I have tried without any luck, are:

    Alternative 1:

    <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
    RewriteCond %{REMOTE_ADDR} !^X.X.X.X$
    RewriteRule ^(.*)$ - [R=403,L]
    </IfModule>
    

    Alternative 2:

    # Block access to wp-admin.
    order deny,allow
    allow from X.X.X.X
    deny from all
    

    Alternative 3:

    # Block access to wp-admin.
    order deny,allow
    deny from all
    allow from X.X.X.X
    

    (X.X.X.X is where I write my IP address)

    Any suggestions on what I can do here?

    ahkgA 1 Reply Last reply
    0
  • ahkgA Offline
    ahkgA Offline
    ahkg
    replied to ahkg on last edited by ahkg
    #2

    @ahkg
    I found some kind of solution (see below).

    But now I'm wondering if this might cause problems for Cloudron? In the logs, it seems that the Cloudron server have trouble getting access to the wp-login.php, with the check that runs every 10 seconds:
    2018-09-19T09:06:45.000Z [Wed Sep 19 09:06:45.296846 2018] [access_compat:error] [pid 207] [client 172.18.0.1:54684] AH01797: client denied by server configuration: /app/code/wp-login.php

    2018-09-19T09:06:45.000Z 172.18.0.1 - - [19/Sep/2018:09:06:45 +0000] "GET /wp-login.php HTTP/1.1" 403 476 "-" "Mozilla"

    I tried to add the local ip 172.18.0.1 to the whitelist in htaccess, but this only resulted in wp-login.php being available to all IP-addresses.

    ErrorDocument 401 default
    ErrorDocument 403 default
    
    SetEnvIf X-Forwarded-For "^1\.1\.*\.*" AllowIP
    
    <Files wp-login.php>
    Order deny,allow
    Deny from all
    Allow from env=AllowIP
    </Files>
    
    # Block access to wp-admin.
    <Files wp-admin/>
    Order deny,allow
    Deny from all
    Allow from env=AllowIP
    </Files>
    
    # Allow access to wp-admin/admin-ajax.php
    <Files wp-admin/admin-ajax.php>
        Order allow,deny
        Allow from all
        Satisfy any
    </Files>
    
    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>
    
    # END WordPress
    
    
    1 Reply Last reply
    0
  • nebulonN Offline
    nebulonN Offline
    nebulon Staff
    wrote on last edited by
    #3

    @ahkg the reason for whitelisting 172.18.0.1 give access to all requests, is that this is the ip of the Cloudron internal gateway into the subnet where all apps are running.

    Unfortunately for your case the cloudron healtcheck also comes via this gateway. I think your htaccess file needs to check for the X-Forwarded-For header to check against the correct inbound address.

    1 Reply Last reply
    0
  • JUVOJustinJ JUVOJustin referenced this topic on

  • Login

  • Don't have an account? Register

  • Login or register to search.
  • First post
    Last post
0
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Login

  • Don't have an account? Register

  • Login or register to search.