Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Unsolved Wordpress: restrict access by IP (wp-admin and wp-login.php)

    WordPress (Managed)
    wordpress cloudron htaccess security nginx
    2
    3
    3132
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ahkg
      ahkg last edited by

      Hi!

      I have installed Wordpress through the Cloudron App Store, and am trying to restrict access to wp-admin and wp-login.php, using the .htaccess file located at app/code/.htaccess

      I have tried by adding three different code snippets to my .htaccess-file, without luck (see below).

      I only achieve that wp-login.php is being blocked for all IP-addresses, and the IP address I try to whitelist gets the same error message as any other IP-address trying to access wp-login.php: Forbidden You don't have permission to access /wp-login.php on this server. Apache/2.4.18 (Ubuntu) Server at example.com Port 8000

      The code snippets I have tried without any luck, are:

      Alternative 1:

      <IfModule mod_rewrite.c>
      RewriteEngine on
      RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
      RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
      RewriteCond %{REMOTE_ADDR} !^X.X.X.X$
      RewriteRule ^(.*)$ - [R=403,L]
      </IfModule>
      

      Alternative 2:

      # Block access to wp-admin.
      order deny,allow
      allow from X.X.X.X
      deny from all
      

      Alternative 3:

      # Block access to wp-admin.
      order deny,allow
      deny from all
      allow from X.X.X.X
      

      (X.X.X.X is where I write my IP address)

      Any suggestions on what I can do here?

      ahkg 1 Reply Last reply Reply Quote 0
      • ahkg
        ahkg @ahkg last edited by ahkg

        @ahkg
        I found some kind of solution (see below).

        But now I'm wondering if this might cause problems for Cloudron? In the logs, it seems that the Cloudron server have trouble getting access to the wp-login.php, with the check that runs every 10 seconds:
        2018-09-19T09:06:45.000Z [Wed Sep 19 09:06:45.296846 2018] [access_compat:error] [pid 207] [client 172.18.0.1:54684] AH01797: client denied by server configuration: /app/code/wp-login.php

        2018-09-19T09:06:45.000Z 172.18.0.1 - - [19/Sep/2018:09:06:45 +0000] "GET /wp-login.php HTTP/1.1" 403 476 "-" "Mozilla"

        I tried to add the local ip 172.18.0.1 to the whitelist in htaccess, but this only resulted in wp-login.php being available to all IP-addresses.

        ErrorDocument 401 default
        ErrorDocument 403 default
        
        SetEnvIf X-Forwarded-For "^1\.1\.*\.*" AllowIP
        
        <Files wp-login.php>
        Order deny,allow
        Deny from all
        Allow from env=AllowIP
        </Files>
        
        # Block access to wp-admin.
        <Files wp-admin/>
        Order deny,allow
        Deny from all
        Allow from env=AllowIP
        </Files>
        
        # Allow access to wp-admin/admin-ajax.php
        <Files wp-admin/admin-ajax.php>
            Order allow,deny
            Allow from all
            Satisfy any
        </Files>
        
        # BEGIN WordPress
        <IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteBase /
        RewriteRule ^index\.php$ - [L]
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteCond %{REQUEST_FILENAME} !-d
        RewriteRule . /index.php [L]
        </IfModule>
        
        # END WordPress
        
        
        1 Reply Last reply Reply Quote 0
        • nebulon
          nebulon Staff last edited by

          @ahkg the reason for whitelisting 172.18.0.1 give access to all requests, is that this is the ip of the Cloudron internal gateway into the subnet where all apps are running.

          Unfortunately for your case the cloudron healtcheck also comes via this gateway. I think your htaccess file needs to check for the X-Forwarded-For header to check against the correct inbound address.

          1 Reply Last reply Reply Quote 0
          • Referenced by  JUVOJustin JUVOJustin 
          • First post
            Last post
          Powered by NodeBB