WordPress.org

Ready to get started?Download WordPress

Forums

Code for htaccess to limit ADMIN by IP (but not subscribers) (8 posts)

  1. Diekleinenic
    Member
    Posted 1 year ago #

    Hi,
    I have a membership site where users that subscribe are automatically categorized as Subscribers and I have limited the amount of control and visibility they have.
    Is there a way to limit ADMIN to the wordpress site by IP Address, but somehow still allow all users that are categorized as subscribers to log in from any ip address?

    I added the code below to my htaccess file, but that doesn't allow my subscribers to log in anymore from their own ip addresses, since it still goes through wp-login.php.

    <files wp-login.php>
    order deny,allow
    deny from all
    # whitelist Your First IP address
    allow from xx.xx.xx.xx
    </files>

    I would really really appreciate some help to figure out if it is possible and if so, HOW, to limit the admin user (as categorized as "admin" in the users list within the admin wordpress panel) to a certain IP address, but still allow all who are categorized as "Subscribers" access from any ip address.

    Thank you in advance.

  2. dc5ala
    Member
    Posted 1 year ago #

    I doubt you can do that with .htaccess. There is no direct relation between user roles and ip addresses. There is no separate login form for admins, which means there is no way to tell whether the current ip address will login as admin or as subscriber.

    The only way i see you could do something like this is, let the user login and when you got the information about the role you can check for ip address and immediately logout the user if it does not match. You could try to hook into 'authenticate' filter and intercept the login procedure. You have to write a few lines of code for this (possible) solution.

  3. Diekleinenic
    Member
    Posted 1 year ago #

    I tried entering this into my htaccess file in the wp-admin subfolder, but that doesn't work

    AuthUserFile /dev/null
    AuthGroupFile /dev/null
    AuthName “Example Access Control”
    AuthType Basic
    <LIMIT GET>
    order deny,allow
    deny from all
    allow from xxx.xx.xx.xxx
    </LIMIT>

  4. bcworkz
    Member
    Posted 1 year ago #

    As dc5ala suggested, try something along this line: (untested)

    add_filter('authenticate', 'dke_ck_ip', 10, 3);
    //Blocks access to admin users unless from certain IPs. Regular users may be from anywhere.
    function dke_ck_ip($user, $name, $pass) {
    	$allow_ips = array('111.222.123.321', '222.111.123.321', '123.321.111.222'); //list all allowable ips for admin access
    	if (!in_array($_SERVER['REMOTE_ADDR'], $allow_ips) && user_can($name, 'manage_options')) $user = new WP_Error('Access Forbidden', __('<strong>ERROR</strong>: Access Forbidden.'));
    	return $user;
    }
  5. Diekleinenic
    Member
    Posted 1 year ago #

    Before I break anything on my site, please let me know if I should add that to the htaccess file in the root folder or the wp-admin subfolder?
    Pr yet in another place?

    Thank you for your help

  6. dc5ala
    Member
    Posted 1 year ago #

    Code like this you have to add to your themes "functions.php" file. You can find that here: wp-content/themes/<MY-THEME>/functions.php.

  7. MickeyRoush
    Member
    Posted 1 year ago #

    If you still want to use .htaccess you could try this in your wp-admin directory.

    <LIMIT GET POST>
    Order allow,deny
    Allow from 123.456.789.012
    </LIMIT>
    # This is the whitelisting of static files and specific php files
    <FilesMatch "\.(jpe?g|png|gif|css|js)$">
        Order allow,deny
        Allow from all
        Satisfy any
    </FilesMatch>
    <FilesMatch "^(admin-ajax|async-upload)\.php$">
        Order allow,deny
        Allow from all
        Satisfy any
    </FilesMatch>

    There are also plugins that might work, but I've never tried any.

    http://wordpress.org/extend/plugins/wp-block-admin/
    http://wordpress.org/extend/plugins/wp-admin-block/
    http://wordpress.org/extend/plugins/remove-dashboard-access-for-non-admins/
    http://wordpress.org/extend/plugins/st-admin-protection/

  8. moneyonlinetalk
    Member
    Posted 1 year ago #

    Really wonderful, i do appreciate it, i almost blocked robots from accessing [ link removed ]

Topic Closed

This topic has been closed to new replies.

About this Topic