Wordpress: restrict access by IP (wp-admin and wp-login.php)

ahkg

Hi!

I have installed Wordpress through the Cloudron App Store, and am trying to restrict access to wp-admin and wp-login.php, using the .htaccess file located at app/code/.htaccess

I have tried by adding three different code snippets to my .htaccess-file, without luck (see below).

I only achieve that wp-login.php is being blocked for all IP-addresses, and the IP address I try to whitelist gets the same error message as any other IP-address trying to access wp-login.php: Forbidden You don't have permission to access /wp-login.php on this server. Apache/2.4.18 (Ubuntu) Server at example.com Port 8000

The code snippets I have tried without any luck, are:

Alternative 1:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^X.X.X.X$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

Alternative 2:

# Block access to wp-admin.
order deny,allow
allow from X.X.X.X
deny from all

Alternative 3:

# Block access to wp-admin.
order deny,allow
deny from all
allow from X.X.X.X

(X.X.X.X is where I write my IP address)

Any suggestions on what I can do here?

ahkg

@ahkg
I found some kind of solution (see below).

But now I'm wondering if this might cause problems for Cloudron? In the logs, it seems that the Cloudron server have trouble getting access to the wp-login.php, with the check that runs every 10 seconds:
2018-09-19T09:06:45.000Z [Wed Sep 19 09:06:45.296846 2018] [access_compat:error] [pid 207] [client 172.18.0.1:54684] AH01797: client denied by server configuration: /app/code/wp-login.php

2018-09-19T09:06:45.000Z 172.18.0.1 - - [19/Sep/2018:09:06:45 +0000] "GET /wp-login.php HTTP/1.1" 403 476 "-" "Mozilla"

I tried to add the local ip 172.18.0.1 to the whitelist in htaccess, but this only resulted in wp-login.php being available to all IP-addresses.

ErrorDocument 401 default
ErrorDocument 403 default

SetEnvIf X-Forwarded-For "^1\.1\.*\.*" AllowIP

<Files wp-login.php>
Order deny,allow
Deny from all
Allow from env=AllowIP
</Files>

# Block access to wp-admin.
<Files wp-admin/>
Order deny,allow
Deny from all
Allow from env=AllowIP
</Files>

# Allow access to wp-admin/admin-ajax.php
<Files wp-admin/admin-ajax.php>
    Order allow,deny
    Allow from all
    Satisfy any
</Files>

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

nebulon

@ahkg the reason for whitelisting 172.18.0.1 give access to all requests, is that this is the ip of the Cloudron internal gateway into the subnet where all apps are running.

Unfortunately for your case the cloudron healtcheck also comes via this gateway. I think your htaccess file needs to check for the X-Forwarded-For header to check against the correct inbound address.