Support » Everything else WordPress » .htaccess for WP-admin, WP-login and phpMyAdmin

  • Resolved hifumi

    (@hifumi)


    How do I get .htaccess to work so that when someone tries to visit /wp-admin.php, /wp-login.php and /phpMyAdmin it will display a pop-up asking for username and password before loading the actual login screen?

    As well as changing the url to something only I know I can access to, e.g. /secret, as well as denying all IP except mine, e.g. deny all access except xxx.xx.xxx.xx

    For reference, I am using Google Cloud VM, using Debian 9 Apache2.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Thread Starter hifumi

    (@hifumi)

    This is what I have in /etc/apache2/apache2.conf:

    <Directory /var/www>
    	Options Indexes FollowSymLinks
    	AllowOverride ALL
            Require all granted
            Require valid-user
    </Directory>
    

    I’ve searched and they said to change AllowOverride to ALL instead of None, but there’s also a new code Require valid-user, do I need to remove this or leave it as it is?

    I’ve modified my .htaccess file too within /var/www/html/ so currently it contains as follows:

    
    # BEGIN WordPress
    # The directives (lines) between "BEGIN WordPress" and "END WordPress" are
    # dynamically generated, and should only be modified via WordPress filters.
    # Any changes to the directives between these markers will be overwritten.
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^secret$ https://example.com/wp-login.php [NC,L]
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>
    
    # END WordPress
    

    It doesn’t seem to change the wp-login.php to https://example.com/secret unfortunately.

    Thread Starter hifumi

    (@hifumi)

    So I’ve reverted the .htaccess back to normal in /var/www/html/ and left /etc/apache2/apache2.conf as AllowOverride ALL.
    Here’s another attempt in securing the wp-admin.php by restricting IP:

    1)Clone copy of .htaccess from /var/www/html/
    2) Erase and edit cloned copy of .htaccess with the following in Notepad:

    AuthUserFile /dev/null
    AuthGroupFile /dev/null
    AuthName “Restricted Access”
    AuthType Basic
    <LIMIT GET>
    order deny,allow
    deny from all
    # whitelist IP address
    allow from xx.xx.xx.xxx
    </LIMIT>

    3) Paste the file into /var/www/html/wp-admin/

    4) visit /wp-admin using the xx.xx.xx.xxx IP and encounter error:
    Internal Server Error
    The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator at webmaster@localhost to inform them of the time this error occurred, and the actions you performed just before this error. More information about this error may be available in the server error log.

    5) Error log via /var/log/apache2/:
    [Tue Sep 08 06:02:00.672843 2020] [core:alert] [pid 29874] [client xxx.xxx.xxx.xx:60649] /var/www/html/wp-admin/.htaccess: AuthUserFile not allowed here

    How can I enable .htaccess to get it to work in Google Cloud VM, Debian 9, Apache2 Linux?

    • This reply was modified 1 year ago by hifumi.
    Thread Starter hifumi

    (@hifumi)

    I tried to use Htaccess by BestWebSoft to add allow,deny for certain IP addresses, which modifies the .htaccess in /var/www/html/ but it still gives me the same error. Removing it won’t cause internal error.

    Thread Starter hifumi

    (@hifumi)

    OK, I’ve reverted everything back to how I installed WordPress.

    This time I’ve modified only the .htaccess file to include:

    RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$ [OR]
    RewriteCond %{REQUEST_URI} ^(.*)?phpmyadmin$
    RewriteCond %{REMOTE_ADDR} !^00\.000\.000\.00$
    RewriteRule ^(.*)$ – [R=403,L]
    

    The 00.000.000.00 indicates only that IP address can access the wp-login.php, wp-admin and phpMyAdmin, any other IP address attempting will be denied and it’ll display that you do not have permission to access.

    View more documentation regarding about phpMyAdmin too:
    https://docs.phpmyadmin.net/en/latest/faq.html#faq1-42

    • This reply was modified 1 year ago by hifumi.
Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘.htaccess for WP-admin, WP-login and phpMyAdmin’ is closed to new replies.