Code for htaccess to limit ADMIN by IP (but not subscribers)

Diekleinenic
(@diekleinenic)

11 years, 4 months ago

Hi,
I have a membership site where users that subscribe are automatically categorized as Subscribers and I have limited the amount of control and visibility they have.
Is there a way to limit ADMIN to the wordpress site by IP Address, but somehow still allow all users that are categorized as subscribers to log in from any ip address?

I added the code below to my htaccess file, but that doesn’t allow my subscribers to log in anymore from their own ip addresses, since it still goes through wp-login.php.

<files wp-login.php>
order deny,allow
deny from all
# whitelist Your First IP address
allow from xx.xx.xx.xx
</files>

I would really really appreciate some help to figure out if it is possible and if so, HOW, to limit the admin user (as categorized as “admin” in the users list within the admin wordpress panel) to a certain IP address, but still allow all who are categorized as “Subscribers” access from any ip address.

Thank you in advance.

Viewing 7 replies - 1 through 7 (of 7 total)

dc5ala
(@dc5ala)

11 years, 4 months ago

I doubt you can do that with .htaccess. There is no direct relation between user roles and ip addresses. There is no separate login form for admins, which means there is no way to tell whether the current ip address will login as admin or as subscriber.

The only way i see you could do something like this is, let the user login and when you got the information about the role you can check for ip address and immediately logout the user if it does not match. You could try to hook into ‘authenticate’ filter and intercept the login procedure. You have to write a few lines of code for this (possible) solution.

Thread Starter Diekleinenic
(@diekleinenic)

11 years, 4 months ago

I tried entering this into my htaccess file in the wp-admin subfolder, but that doesn’t work

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Example Access Control”
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
allow from xxx.xx.xx.xxx
</LIMIT>
Moderator bcworkz
(@bcworkz)

11 years, 4 months ago
As dc5ala suggested, try something along this line: (untested)
```
add_filter('authenticate', 'dke_ck_ip', 10, 3);
//Blocks access to admin users unless from certain IPs. Regular users may be from anywhere.
function dke_ck_ip($user, $name, $pass) {
	$allow_ips = array('111.222.123.321', '222.111.123.321', '123.321.111.222'); //list all allowable ips for admin access
	if (!in_array($_SERVER['REMOTE_ADDR'], $allow_ips) && user_can($name, 'manage_options')) $user = new WP_Error('Access Forbidden', __('<strong>ERROR</strong>: Access Forbidden.'));
	return $user;
}
```
Thread Starter Diekleinenic
(@diekleinenic)

11 years, 4 months ago

Before I break anything on my site, please let me know if I should add that to the htaccess file in the root folder or the wp-admin subfolder?
Pr yet in another place?

Thank you for your help

dc5ala
(@dc5ala)

11 years, 4 months ago

Code like this you have to add to your themes “functions.php” file. You can find that here: wp-content/themes/<MY-THEME>/functions.php.
MickeyRoush
(@mickeyroush)

11 years, 4 months ago
If you still want to use .htaccess you could try this in your wp-admin directory.
```
<LIMIT GET POST>
Order allow,deny
Allow from 123.456.789.012
</LIMIT>
# This is the whitelisting of static files and specific php files
<FilesMatch "\.(jpe?g|png|gif|css|js)$">
    Order allow,deny
    Allow from all
    Satisfy any
</FilesMatch>
<FilesMatch "^(admin-ajax|async-upload)\.php$">
    Order allow,deny
    Allow from all
    Satisfy any
</FilesMatch>
```
There are also plugins that might work, but I’ve never tried any.

http://wordpress.org/extend/plugins/wp-block-admin/
http://wordpress.org/extend/plugins/wp-admin-block/
http://wordpress.org/extend/plugins/remove-dashboard-access-for-non-admins/
http://wordpress.org/extend/plugins/st-admin-protection/
moneyonlinetalk
(@moneyonlinetalk)

11 years, 2 months ago

Really wonderful, i do appreciate it, i almost blocked robots from accessing [ link removed ]