When restricting access to the Wordpress admin via IP, is it necessary to to include /wp-login.php and /wp-admin?
yes, then only people from that IP will be able to access either of them. Please note restrictions on wp-admin will create havoc with any calls to admin-ajax.php. This can be resolved by whitelisting 127.0.0.1
Related
I have a Wordpress website (Bitnami) thats hosted in Google Cloud Platform. The IP address is something like: 33.33.33.33. My domain is hosted on Google Domains and has 2 nameservers pointing to Cloudflare. On the Cloudflare DNS settings, I have 2 A records, one is ftp and the other is something like 'mywebsite.com'. I also have a CNAME which is www mywebsite.com.
I am able to hit the full URL of my website but I also notice I can enter the IP address and it also works and loads the website. Is it possible to prevent acccess to 33.33.33.33 and only allow the full URL?
Create VPC Firewall Rules that only allow Cloudflare IP addresses.
Consult this document for the current Cloudflare IP list.
Google Cloud VPC firewall rules overview
Note: Cloudflare does not support FTP, so you must point your DNS resource record for FTP to your server's IP address and not through Cloudflare. I recommend that you do not use FTP. Use SSH/SFTP for file transfers. Configure WordPress so that installing plugins, uploading images, etc do not require FTP. FTP is not encrypted which means your login username and password are sent in the clear.
My setup:
Bitnami Wordpress
GCP VM
GCP HTTPs Load Balancer
Load Balancer has http to https redirection, www to non-www redirection
Cloud CDN
Main Problem:
The VM's external IP (22.22.22.22) is indexed by Google Search. I'm unable to remove it from Google Search because it is not recognized as a property that belongs to me and the indexed page (http://22.22.22.22/home) is live. http://22.22.22.22/home is resolved to example.com which is a live page.
what I have checked
The domain name and Load Balancer's IP is properly resolved
No new mod_rewrite rules other than those from the default installation
The site does not have any reference to VM's external IP, including database
No cache plugins installed
Wordpress's site address and home address is pointing to http://example.com
what I have done to rectify
I've added 301 redirects which I'm not sure if that helps. It will take some time to check if that works.
My questions
Is there a way to prevent Google from indexing IPs(Any IPs in general)?
How to prevent VM's ext. IP from being indexed by Google especially when load balancer is in use?
There is a simple solution but it takes time. Configure the Apache web server to redirect IP-based queries to your domain or return an error. Google Search will eventually notice the redirect and remove the IP address from search queries.
For redirects, use a permanent redirect (301).
301 Moved Permanently
How To Create Temporary and Permanent Redirects with Apache and Nginx
There are WordPress plugins to do the same, but I prefer to configure Apache directly and not add another plugin to a site.
Is there a way to prevent Google from indexing IPs(Any IPs in
general)?
No, Google can index any site, IP or Hostname based, that is public unless restricted via robots.txt.
Introduction to robots.txt
How to prevent VM's ext. IP from being indexed by Google especially
when load balancer is in use?
You can create a VPC Firewall rule that only allows traffic from the load balancer and blocks Internet ingress traffic.
Load Balancer Firewall Rules
Additional information:
Remove a page hosted on your site from Google
My wordpress site is accessible from both the IP address and the domain name.
https://example.com and IP
How to redirect IP address to domain name?
The IP address is also indexed on Google.
Installed using Bitnami marketplace on AWS
It seems this have been discussed on bitnami community: https://community.bitnami.com/t/how-to-block-access-ip/61773
Credits to user Jota (Bitnami Engineer):
You need to made 3 changes in the solution to make it work with the
domain only:
Change the WordPress configuration file to use your domain
https://docs.bitnami.com/aws/apps/wordpress/administration/configure-domain/
Change the WP database to use that domain
https://docs.bitnami.com/aws/apps/wordpress/administration/update-ip-hostname/ (*)
Change Apache to redirect all the requests to your domain
https://docs.bitnami.com/aws/apps/wordpress/administration/use-single-domain/
(*) This link do not work right now. But this topic is discussed here:
https://community.bitnami.com/t/only-use-dns-name-for-the-website-rather-its-ip-address-for-security/85944
I would like to be able to whitelist certain IPs in my NGINX config file and deny everything else. This way I can be certain that only the IPs I allow can access my website.
I've already done this and it's working. In the /etc/nginx/sites-available/default file, I've added the following:
server {
allow ip address; #comment
allow ip address; #comment
deny all;
}
The problem that we've is we listen to Shopify webhook notifications to our web app to certain URLs and Shopify uses various IP addresses for this, 614 found so far and still counting. Whitelisting these many IP addresses without certainty that there will be no more is not looking like a solution. But if we can keep open the couple of URLs that Shopify sends notification to in our web app, that will solve our problem. This way, we don't have to worry about whitelisting IPs that Shopify uses to send webhook notification.
So what I am looking for is to keep these couple of URLs open to any IPs. Everything else except for the ip we whitelist and the URLs we choose to keep open will be blocked.
If this is not possible and there is alternative solution to this problem, please advise. Thank you.
I am setting up a site using WordPress and buddypress with suffusion theme. All up to date. As per usual I have spammers registering and are banning them as the register. I ban their ip number on the htaccess file.
Then I notice an ip number was actually coming from my hosting company and it so turned out that it is the shared hosting ip number, that my site is on.
So some person is registering, numerous times and the ip number is my shared hosting account ip number. Even thought I banned the number its still registering. I get the ip numbers from wordfence and bp register plugins.
I checked my host web stats on the control panel and it shows 174 vists and 446 hits from that ip number. I have checked the ip number on spam lists sites and it does not appear.
My hosting company, who are normally very good, says,
The IP address: xxxxxxxx is a part of the shared hosting server: (named of host) which your website is hosted on. This is not a bot host or visitor IP address. I assume that either your website has some redirection loop or this is the script a part of your website such as cron script or similar.
There should be no point to block this IP address as this is not an actual visitor on your website.
What does this mean and how do I stop that ip number coming up on some registrations and is my script corrupt.
I don't understand why you think that banning the IP address on your .htaccess file would be the best way to prevent people from registering on your site.
Have you tried using any spam prevention measures besides modding your .htaccess file?
http://premium.wpmudev.org/blog/buddypress-spam/
step 1:
Using IP blocker in cPanel
Most hosting providers also offer the option to block suspicious IP addresses in WordPress. If you prefer this method, you can block suspicious IPs from your hosting account by following these steps:
Log into your hosting account
Go to the cPanel and go to the section called Security.
In this section, there should be an option that allows you to block IPs. On Bluehost, the option is called IP Blocker. Other hosting providers may name it something else.
Step 2:
check your website script maybe these Ip bots are operating from your directory.
check for any malicious code