I want to add protection to my wordpress site by specifing what ip addresses can access the admin dashboard. I've created a .htaccess file in /wp-admin folder and added the code. However it seems that the .htaccess file is being completely ignored. Does anybody know why this is happening.
Code:
order deny,allow
allow from 000.000.000.000 (my ip address)
deny from all
you would need to create a new .htaccess file in your text editor and upload to your wp-admin folder.
For more details please refer the link:
http://codex.wordpress.org/Brute_Force_Attacks#Limit_Access_to_wp-admin_by_IP
Copy code
order deny,allow
allow from 202.090.21.1 (replace with your IP address)
deny from all
Related
OK, so pls don't kill me, I'm not an expert, yes I have read loads of comments and forums and not sure it would be possible.
I have a WordPress site that is running on litespeed. I have wordfence and ithemes installed and my firewall is turned on, yet somehow a hacker created a .tmp folder with fake png inside containing executable code. The code could not run because of wordfence, but I would like to prevent them from creating the .tmp folder in the first place.
That lead me thinking, is is possible, in my public_html .htaccess, to list my files and folders that in the root directory, and to allow, and to deny all from everything not on the list. Theoretically then they should not be able to create any new file or folder and if they do, it would deny?
Example
Folders on whitelist:
wp-includes
admin
etc.
Files on whitelist:
index.php
wp-config.php
Would look like this
# Deny access to files & subdirectories
Order Allow,Deny
deny from all
<Files *.*>
deny from all
</Files>
# Allow access to files
<Files "index.php,wp-config.php">
Allow from all
Satisfy Any
</Files>
# Allow access to sub directories
<Files wp-includes,admin/*>
Allow from all
Satisfy Any
</Files>
As per #RavinderSingh13's request:
Allow access the these subfolders only:
wp-admin, wp-content, wp-includes
Allow access the these files only:
.htaccess, index.html, index.php, license.txt, readme.html, wp-activate.php, wp-blog-header.php, wp-comments-post.php, wp-config.php, wp-config-sample.php, wp-cron.php, wp-links-opml.php, wp-load.php, wp-login.php, wp-mail.php, wp-settings.php, wp-signup.php, wp-trackback.php, xmlrpc.php
Update:
This will not work as it will not deny sever side execution. A php script can be made to delete files that are not on the whitelist, and then run with a cron every 5 min. Not ideal but it works.
In WordPress my network team restrict wpadmin folder with single ip. So my admin-ajax.php ajax call are 403 forbidden for end user. Is there a solution to allow everyone to access this?
Step 1: restrict Wp-admin folder file wise, and allow admin-ajax file
Step 2: Any another method is available to ajax call without adamin-ajax file
Are any of these possible?
If you want to allow access folder by ip, then please add the below code in .htaccess file.
<Directory /path/to/the/folder>
Options +Indexes
IndexOptions +FancyIndexing
Order deny,allow
Deny from all
Allow from X.X.X.X
</Directory>
For specific File then add the below code
<Files file-name.php>
Order deny,allow
Deny from all
Allow from X.X.X.X
</Files>
I have a domain I use for development purposes. In this domain I have several subdirectories with different wordpress installations.
To hide the whole area I made a simple htpasswd protection in the root.
Now I have one of this Wordpress in the domain that uses timthumb library to resize images, and due to the htpasswd, I get "NetworkError: 400 Bad Request" instead of the image.
This is an example of the request that gets the error
http://subdomain.domain.com/WP/wp-content/plugins/plugin-directory/timthumb.php?src=http%3A%2F%2Fsubdomain.domain.com%2FWP%2Fwp-content%2Fuploads%2F2015%2F01%2F012015_valentines_hp_budvase.jpg&w=300&h=620&zc=1
Is there a way to bypass the protection only for that file?
More details on my paths to better read my .htaccess snippets:
I'm in a subdomain pointed to a subdirectory called 'subdomain_folder'
.htaccess I'm working on is located in 'subdomain_folder'
WP is in a subdirectory called 'WP' inside 'subdomain_folder'
Complete Path to WP: '/home/some-folder/public_html/subdomain_folder/WP
Complete Path to Uploads: '/home/some-folder/public_html/subdomain_folder/WP/wp-content/uploads
I tried this:
SetEnvIf Request_URI "^/WP/wp-content/plugins/plugin-dir/timthumb\.php$" allow
AuthType Basic
AuthName "Restricted Area"
AuthUserFile "/home/some-folder/.htpasswds/public_html/subdomain_folder/passwd"
Require valid-user
Order allow,deny
Allow from env=allow
Satisfy any
UPDATE
Someone adviced me that allowing access to timthumb.php file it's pointless, instead I should allow him to make http requests, or allow full access to uploads folders so, I tried the following, allowing requests from localhost ip
AuthType Basic
AuthName "Reserverd Area"
AuthUserFile "/home/some-folder/.htpasswds/public_html/subdomain_folder/passwd"
Require valid-user
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Satisfy Any
Tried both localhost and 127.0.0.1
I even tried to add another .htaccess in the single WP upload folder (where timthumb asks for images) with rule to allow from any
Satisfy Any
Order Allow,Deny
Allow from all
Still I cant' get images shown, and I keep getting the NetworkError: 400 Bad Request" instead of the image.
Last Detail, the .htaccess in the WP directory is a standard wp htaccess --> pastebin.com/8PRqEYQ2
I Found the solution.
The right way is indeed allowing requests from the server itself, but the localhost IP (127.0.0.1) was not the right adress to allow.
I made a Reverse IP Lookup searching for the domain I'm on, and I used that IP.
This is the .htaccess that works
RewriteEngine On
<IfModule mod_authn_file.c>
AuthName "Restricted Area"
AuthUserFile "/home/path-to-passfile/passwd"
AuthType Basic
Require valid-user
Order Deny,Allow
Deny from all
# Use your server ip:
Allow from 111.111.111.11
Satisfy Any
</IfModule>
With this rules I can develop apps using timthumb.php in .htpasswd protected directory.
Criticisms and improvements are welcome :)
While accessing my WordPress website, I got directory listing error. I can access the site using http://example.com/index.php but not when I use http://example.com. I also tried put the .htaccess file in the directory. I had following code in my .htaccess file.
#BEGIN WordPress
#END WordPress
DirectoryIndex index.php
I solved it... If any want to change your site path not having access to control panel in your db go to the wp-options table change your site url link to http://www.example.com to the http://www.example.com/index.php
Is it possible to deny an IP from visiting a specific post on my wordpress blog, maybe by specifying the URL of the post?
<Files abc.html>
order allow,deny
deny from 123.45.6.7
deny from 012.34.5.
deny from netzero.net
deny from spaceproxy.com
allow from all
</Files>
You can deny access based upon IP address or an IP block. The above blocks access to the page abc.html from 123.45.6.7, and from any sub domain under the IP block 012.34.5. (012.34.5.1, 012.34.5.2, 012.34.5.3, etc.)
.htaccess files are
a) recursive on subdirectories and
b) cumulative in reverse.
This can be difficult to understand.
-The .htaccess in the root directory applies to everything on the site, because it applies to the subdirectories.
-An .htaccess in a subdirectory can override stuff that the parent .htaccess has set.
-RewriteRules apply in reverse order. That is, the current directory rewrites apply first, then the parents rewrites, and so on.
so why dont you just put these new rules mentioned above in a seperate .htaccess file in the directory which contains the post you want to be protected from a url or an IP.