WordPress.org

Support

Support » Plugins and Hacks » Hacks » Code for htaccess to limit ADMIN by IP (but not subscribers)

Code for htaccess to limit ADMIN by IP (but not subscribers)

Viewing 7 replies - 1 through 7 (of 7 total)
  • I doubt you can do that with .htaccess. There is no direct relation between user roles and ip addresses. There is no separate login form for admins, which means there is no way to tell whether the current ip address will login as admin or as subscriber.

    The only way i see you could do something like this is, let the user login and when you got the information about the role you can check for ip address and immediately logout the user if it does not match. You could try to hook into ‘authenticate’ filter and intercept the login procedure. You have to write a few lines of code for this (possible) solution.

    Diekleinenic

    @diekleinenic

    I tried entering this into my htaccess file in the wp-admin subfolder, but that doesn’t work

    AuthUserFile /dev/null
    AuthGroupFile /dev/null
    AuthName “Example Access Control”
    AuthType Basic
    <LIMIT GET>
    order deny,allow
    deny from all
    allow from xxx.xx.xx.xxx
    </LIMIT>

    Moderator bcworkz

    @bcworkz

    As dc5ala suggested, try something along this line: (untested)

    add_filter('authenticate', 'dke_ck_ip', 10, 3);
    //Blocks access to admin users unless from certain IPs. Regular users may be from anywhere.
    function dke_ck_ip($user, $name, $pass) {
    	$allow_ips = array('111.222.123.321', '222.111.123.321', '123.321.111.222'); //list all allowable ips for admin access
    	if (!in_array($_SERVER['REMOTE_ADDR'], $allow_ips) && user_can($name, 'manage_options')) $user = new WP_Error('Access Forbidden', __('<strong>ERROR</strong>: Access Forbidden.'));
    	return $user;
    }

    Before I break anything on my site, please let me know if I should add that to the htaccess file in the root folder or the wp-admin subfolder?
    Pr yet in another place?

    Thank you for your help

    Code like this you have to add to your themes “functions.php” file. You can find that here: wp-content/themes/<MY-THEME>/functions.php.

    If you still want to use .htaccess you could try this in your wp-admin directory.

    <LIMIT GET POST>
    Order allow,deny
    Allow from 123.456.789.012
    </LIMIT>
    # This is the whitelisting of static files and specific php files
    <FilesMatch "\.(jpe?g|png|gif|css|js)$">
        Order allow,deny
        Allow from all
        Satisfy any
    </FilesMatch>
    <FilesMatch "^(admin-ajax|async-upload)\.php$">
        Order allow,deny
        Allow from all
        Satisfy any
    </FilesMatch>

    There are also plugins that might work, but I’ve never tried any.

    http://wordpress.org/extend/plugins/wp-block-admin/
    http://wordpress.org/extend/plugins/wp-admin-block/
    http://wordpress.org/extend/plugins/remove-dashboard-access-for-non-admins/
    http://wordpress.org/extend/plugins/st-admin-protection/

    Really wonderful, i do appreciate it, i almost blocked robots from accessing [ link removed ]

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Code for htaccess to limit ADMIN by IP (but not subscribers)’ is closed to new replies.
Skip to toolbar