Support » Fixing WordPress » htaccess to restrict access to single WP page by IP

  • Hi,

    I need to restrict a single page in WordPress by user IP and I understand that htaccess is the way to do this. Private or Password Page visibility in WP is not suitable in this particular case. Basically I need seamless access to this page for users in my office, but block everyone else. The rest of the website is public.

    I can block all of wp-login or wp-admin (there are are lots of example of this), but can’t find the right syntax for a single “normal” page in WP. (All examples I can find are for static html pages, but in WP this doesn’t work)

    Here’s what I’m trying (example is for page https://myurl/secret/ restricted to two IPs)

    # BEGIN Whitelist for secret page
    RewriteEngine on
    RewriteBase /
    RewriteCond %{REQUEST_URI} ^(.*)?secret\.php(.*)$
    RewriteCond %{REMOTE_ADDR} !^86\.26\.215\.164$
    RewriteCond %{REMOTE_ADDR} !^81\.187\.29\.134$
    RewriteRule ^(.*)$ - [R=403,L]
    # END Whitelist for secret page

    This is based on examples I found, but I will freely admit that I don’t understand all the switches etc..

    I’d be grateful for any help specifically on how to address a single WP page, which as I understand it is not a “file” in this context (unlike a static html page).

    Many thanks,
    Paul

    • This topic was modified 1 week, 5 days ago by Jan Dembowski. Reason: Moved to Fixing WordPress, this is not an Everything else WordPress topic
    • This topic was modified 1 week, 5 days ago by Steve Stern.
Viewing 1 replies (of 1 total)
  • If your WordPress site is using permalinks, most likely the REQUEST_URI won’t be a file extension. It will be a word or more in a word/letter format. For example, if the name of the page is “Sample Page” the directives might look like (just look at what is being displayed in the URL):

    # BEGIN Whitelist for secret page
    RewriteEngine on
    RewriteBase /
    RewriteCond %{REQUEST_URI} sample-page [NC]
    RewriteCond %{REMOTE_ADDR} !^86\.26\.215\.164$ [OR]
    RewriteCond %{REMOTE_ADDR} !^81\.187\.29\.134$
    RewriteRule ^ - [F]
    # END Whitelist for secret page

    A couple of things that I updated. When including multiple IP Addresses to whitelist, you need to include the “[OR]” condition flag. Otherwise the parser will by default assume that you meant “and” instead of “or”. So it will assume both IP Addresses must be met at the same time, which I don’t think is even possible with HTTP(S). So the “[OR]” flag needs to be there. And the “[NC]” means case insensitive.

    And for the RewriteRule, you don’t need all of that. Everything begins somewhere, so all you need is “^” and the “[F]” flag implies all of what was there previously.

    You might also try using {THE_REQUEST} variable instead of the {REQUEST_URI} variable. As I find it’s more powerful and useful in some instances. So that change would make it look like so:

    # BEGIN Whitelist for secret page
    RewriteEngine on
    RewriteBase /
    RewriteCond %{THE_REQUEST} sample-page [NC]
    RewriteCond %{REMOTE_ADDR} !^86\.26\.215\.164$ [OR]
    RewriteCond %{REMOTE_ADDR} !^81\.187\.29\.134$
    RewriteRule ^ - [F]
    # END Whitelist for secret page

    Also, if you place this after the WordPress stanza (for the permalinks/pretty links), which is recommended, you shouldn’t need to tell the server to turn on the RewriteEngine again, nor include the rewritebase directive.

    So even more simplified, it would look like:

    # BEGIN Whitelist for secret page
    RewriteCond %{THE_REQUEST} sample-page [NC]
    RewriteCond %{REMOTE_ADDR} !^86\.26\.215\.164$ [OR]
    RewriteCond %{REMOTE_ADDR} !^81\.187\.29\.134$
    RewriteRule ^ - [F]
    # END Whitelist for secret page
Viewing 1 replies (of 1 total)
  • You must be logged in to reply to this topic.