Support » Localhost Installs » restrict access to wp-admin/

  • diggy69

    (@diggy69)


    We will be using WordPress for our public website and would like to restrict access to the administration pages to our internal IP addresses.

    Can I apply Apache’s “Require ip” directive to the “wp-admin/” directory without adversely affecting normal website operations?

    A prompt response is greatly appreciated. In advance, thank you.

Viewing 4 replies - 1 through 4 (of 4 total)
  • ronnybadilla

    (@ronnybadilla)

    Hey @diggy69

    Yes, you can set that kind of configuration in your .htaccess without any affectation, this is a sample code you can start using to play around:

    AuthUserFile /dev/null
    AuthGroupFile /dev/null
    AuthName "WordPress Admin Access Control"
    AuthType Basic
    <LIMIT GET>
    order deny,allow
    deny from all
    # whitelisted IP addresses
    allow from xx.xx.xx.xxx
    allow from xx.xx.xx.xxx
    </LIMIT>

    Things to consider:
    – As showed in the sample, there’s no need to create user/password combination, since you only want to limit the access of the administrative area to certain ip addresses.
    – Please don’t forget to replace xx’s with your public ip addresses you want to whitelist.

    In addition, I found this article you can read, it shows you 11 tips to protect the administrative area (including the .htaccess configuration you’re evaluating, as part of the tips).

    Dion

    (@diondesigns)

    The wp-admin/admin-ajax.php file is used on the frontend, and other files may be used as well by various plugins/themes. So be careful when restricting the /wp-admin directory!

    Thread Starter diggy69

    (@diggy69)

    Hmm. Okay. How about if I just restrict access to admin.php, index.php, menu.php, and whichever .php is responsible for handling admin login in the wp-admin/ directory? If someone can’t log into the administrative site, restricting access to the other pages like edit.php and users.php wouldn’t be necessary, right? Anything I’m overlooking or possibly overthinking it?

    “No such thing as too much security” is my motto. LOL. Just kidding, but you get the idea.

    Dion

    (@diondesigns)

    I believe that admin logins are handled by the wp-login.php file on the frontend. If you are not allowing anyone other than your internal staff to access the WordPress admin/profile area, then that is the file you should restrict. This has the side-benefit of mitigating brute-force attacks on wp-login.php, which unfortunately is a very common occurrence.

    Otherwise, your idea of restricting all .php files in the base /wp-admin directory other than admin-ajax.php would probably work. If you’re fluent in PHP, a better solution is some code added to wp-config.php that does the IP check if the WP_ADMIN constant is defined and set to true.

Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.