Is it possible to deny an IP from visiting a specific post on my wordpress blog, maybe by specifying the URL of the post?
<Files abc.html>
order allow,deny
deny from 123.45.6.7
deny from 012.34.5.
deny from netzero.net
deny from spaceproxy.com
allow from all
</Files>
You can deny access based upon IP address or an IP block. The above blocks access to the page abc.html from 123.45.6.7, and from any sub domain under the IP block 012.34.5. (012.34.5.1, 012.34.5.2, 012.34.5.3, etc.)
.htaccess files are
a) recursive on subdirectories and
b) cumulative in reverse.
This can be difficult to understand.
-The .htaccess in the root directory applies to everything on the site, because it applies to the subdirectories.
-An .htaccess in a subdirectory can override stuff that the parent .htaccess has set.
-RewriteRules apply in reverse order. That is, the current directory rewrites apply first, then the parents rewrites, and so on.
so why dont you just put these new rules mentioned above in a seperate .htaccess file in the directory which contains the post you want to be protected from a url or an IP.
Related
OK, so pls don't kill me, I'm not an expert, yes I have read loads of comments and forums and not sure it would be possible.
I have a WordPress site that is running on litespeed. I have wordfence and ithemes installed and my firewall is turned on, yet somehow a hacker created a .tmp folder with fake png inside containing executable code. The code could not run because of wordfence, but I would like to prevent them from creating the .tmp folder in the first place.
That lead me thinking, is is possible, in my public_html .htaccess, to list my files and folders that in the root directory, and to allow, and to deny all from everything not on the list. Theoretically then they should not be able to create any new file or folder and if they do, it would deny?
Example
Folders on whitelist:
wp-includes
admin
etc.
Files on whitelist:
index.php
wp-config.php
Would look like this
# Deny access to files & subdirectories
Order Allow,Deny
deny from all
<Files *.*>
deny from all
</Files>
# Allow access to files
<Files "index.php,wp-config.php">
Allow from all
Satisfy Any
</Files>
# Allow access to sub directories
<Files wp-includes,admin/*>
Allow from all
Satisfy Any
</Files>
As per #RavinderSingh13's request:
Allow access the these subfolders only:
wp-admin, wp-content, wp-includes
Allow access the these files only:
.htaccess, index.html, index.php, license.txt, readme.html, wp-activate.php, wp-blog-header.php, wp-comments-post.php, wp-config.php, wp-config-sample.php, wp-cron.php, wp-links-opml.php, wp-load.php, wp-login.php, wp-mail.php, wp-settings.php, wp-signup.php, wp-trackback.php, xmlrpc.php
Update:
This will not work as it will not deny sever side execution. A php script can be made to delete files that are not on the whitelist, and then run with a cron every 5 min. Not ideal but it works.
In WordPress my network team restrict wpadmin folder with single ip. So my admin-ajax.php ajax call are 403 forbidden for end user. Is there a solution to allow everyone to access this?
Step 1: restrict Wp-admin folder file wise, and allow admin-ajax file
Step 2: Any another method is available to ajax call without adamin-ajax file
Are any of these possible?
If you want to allow access folder by ip, then please add the below code in .htaccess file.
<Directory /path/to/the/folder>
Options +Indexes
IndexOptions +FancyIndexing
Order deny,allow
Deny from all
Allow from X.X.X.X
</Directory>
For specific File then add the below code
<Files file-name.php>
Order deny,allow
Deny from all
Allow from X.X.X.X
</Files>
I am setting up a WordPress site in a subdomain. The subdomain will be in a subdirectory of the main directory.
So http://dl.abc.com will be in the folder /public_html/dl/
Within there is going to be the wp-admin folder when WordPress is installed:
/public_html/dl/wp-admin/
That wp-admin folder we wanted to block anyone trying to access it (or any files/subdirectories contained within) except those users from Australia and Singapore.
Is this the correct way to go about it? (I suspect a caveat is any plugins that make ajax requests by calling admin-ajax.php won't work properly?)
<ifModule mod_geoip.c>
GeoIPEnable On
# Put countries to allow here
SetEnvIf GEOIP_COUNTRY_CODE NZ AllowCountry
SetEnvIf GEOIP_COUNTRY_CODE SG AllowCountry
Deny from all
Allow from env=AllowCountry
</ifModule>
Second question is how can we go about doing the same thing with the wp-login.php file that will be installed within the /public_html/dl/ folder?
Will this work if we put it in the .htaccess file within the /public_html/dl/ directory? Or is there a better way?
<Files "wp-login.php">
<ifModule mod_geoip.c>
GeoIPEnable On
# Put countries to allow here
SetEnvIf GEOIP_COUNTRY_CODE NZ AllowCountry
SetEnvIf GEOIP_COUNTRY_CODE SG AllowCountry
Deny from all
Allow from env=AllowCountry
</ifModule>
</Files>
?
And lastly, I'd like to have a bit of additional "security through obscurity" in that for both examples above I'd rather return the "404 not found" error instead of the denied error.
What's the best way to do that?
Unfortunately we don't have any sort of dev/test server to try things out with first, so want to get this as close to perfect as possible the first time through.
Thank you.
_
htaccess - deny directory based on geolocation
check this url :https://mediatemple.net/community/products/dv/204643270/using-htaccess-rewrite-rules
To answer your second question, according to this page:
https://www.askapache.com/htaccess/using-filesmatch-and-files-in-htaccess/
you can surround other directives with the <Files></Files> or <FilesMatch></FilesMatch> directive:
"The directive limits the scope of the enclosed directives by
filename. It should be matched with a directive. The
directives given within this section will be applied to any object
with a basename (last component of filename) matching the specified
filename. sections are processed in the order they appear in
the configuration file, after the sections and .htaccess
files are read, but before sections. Note that can
be nested inside sections to restrict the portion of the
filesystem they apply to."
So essentially it seems that what you have stated already should work.
We've tried a few things that we found around Google for this, but can't seem to get anything to work.
The Problem
We have a server with around 500 Wordpress websites on it. We're trying to lock down all the wp-login.php pages for every instance to the IP address of our office using a global htaccess - but the individual Wordpress htaccess files are overriding this.
The Environment
We're hosted on an AWS Linux server running Plesk to manage each website / Wordpress instance.
The Question
Is there a way we can set one htaccess file on the server to lock down all of the Wordpress login pages without the individual htaccess files overriding this?
any help or suggestions for a good way to do this, would be appreciated.
Thanks in advance
I assume that you have read up on the RewriteOptions directive. As I explain in Tips for debugging .htaccess rewrite rules and as you have found with WP which generates its own .htaccess files, by default the current path is scanned for .htaccess and the rewrite rules in the lowest are applied unless a higher one specifies a RewriteOptions Inherit in which case it's rules are executed after rules specified in the child scope, and this is the catch-22 in that WP access file generates a [L] flag on all its execution paths preventing the parent rules from firing.
So the answer is to do this with an Apache mechanism other than rewrite and you can use the SetEnvIf directive:
SetEnvIf Remote_Addr "!^192\.168\." forbidden
<Files *>
Order allow,deny
Allow from all
Deny from env=forbidden
</Files>
or
SetEnvIf Remote_Addr "!^192\.168\." forbidden
<Directory /var/www/wproot>
Order allow,deny
Allow from all
Deny from env=forbidden
</Directory>
Clearly you'll need to change the Regexp to your local needs but this should do the biz. The Apache docs give other variants on this, but you should be able to find one which works in your case. Just put this in the a per-virtual server context -- within a Directory(Match) directive if necessary -- or in a common parent directory .htaccess file.
I ended up getting this to work with your first suggestion, but actually without the SetEnvIf line being required, so thanks very much! this was my .htaccess in the /var/www/vhosts folder for anyone else needing this:
<files wp-login.php>
order deny,allow
deny from all
Allow from xxx.xxx.xxx.xxx
</files>
Nice and simple and completely different from the previous routes I was trying to take for this.
I want to add protection to my wordpress site by specifing what ip addresses can access the admin dashboard. I've created a .htaccess file in /wp-admin folder and added the code. However it seems that the .htaccess file is being completely ignored. Does anybody know why this is happening.
Code:
order deny,allow
allow from 000.000.000.000 (my ip address)
deny from all
you would need to create a new .htaccess file in your text editor and upload to your wp-admin folder.
For more details please refer the link:
http://codex.wordpress.org/Brute_Force_Attacks#Limit_Access_to_wp-admin_by_IP
Copy code
order deny,allow
allow from 202.090.21.1 (replace with your IP address)
deny from all