0

We've tried a few things that we found around Google for this, but can't seem to get anything to work.

The Problem

We have a server with around 500 Wordpress websites on it. We're trying to lock down all the wp-login.php pages for every instance to the IP address of our office using a global htaccess - but the individual Wordpress htaccess files are overriding this.

The Environment

We're hosted on an AWS Linux server running Plesk to manage each website / Wordpress instance.

The Question

Is there a way we can set one htaccess file on the server to lock down all of the Wordpress login pages without the individual htaccess files overriding this?

any help or suggestions for a good way to do this, would be appreciated.

Thanks in advance

ST-NEIL
  • 29
  • 2
  • 6

2 Answers2

0

I assume that you have read up on the RewriteOptions directive. As I explain in Tips for debugging .htaccess rewrite rules and as you have found with WP which generates its own .htaccess files, by default the current path is scanned for .htaccess and the rewrite rules in the lowest are applied unless a higher one specifies a RewriteOptions Inherit in which case it's rules are executed after rules specified in the child scope, and this is the catch-22 in that WP access file generates a [L] flag on all its execution paths preventing the parent rules from firing.

So the answer is to do this with an Apache mechanism other than rewrite and you can use the SetEnvIf directive:

SetEnvIf Remote_Addr "!^192\.168\." forbidden
<Files *>
  Order allow,deny
  Allow from all
  Deny from env=forbidden
</Files>

or

SetEnvIf Remote_Addr "!^192\.168\." forbidden
<Directory /var/www/wproot>
  Order allow,deny
  Allow from all
  Deny from env=forbidden
</Directory>

Clearly you'll need to change the Regexp to your local needs but this should do the biz. The Apache docs give other variants on this, but you should be able to find one which works in your case. Just put this in the a per-virtual server context -- within a Directory(Match) directive if necessary -- or in a common parent directory .htaccess file.

Community
  • 1
  • 1
TerryE
  • 10,724
  • 5
  • 26
  • 48
  • Thanks for this. I can't seem to take and I was trying to get it work in all sites using a wildcard like this: `SetEnvIf Remote_Addr "!^192\.168\." forbidden Order allow,deny Allow from all Deny from env=forbidden ` which was throwing a 500 error. Is it possible to cover all sites at once in a scenario like this? – ST-NEIL Dec 04 '14 at 14:11
0

I ended up getting this to work with your first suggestion, but actually without the SetEnvIf line being required, so thanks very much! this was my .htaccess in the /var/www/vhosts folder for anyone else needing this:

<files wp-login.php>
  order deny,allow
  deny from all
  Allow from xxx.xxx.xxx.xxx
</files>

Nice and simple and completely different from the previous routes I was trying to take for this.

ST-NEIL
  • 29
  • 2
  • 6
  • My bad I forgot that `Allow from` is more flexible that a bare IP. It will also allow a partial IP address, a domain name (or fully qualified or partial) or a list thereof. Many paths to a solution :) – TerryE Dec 04 '14 at 17:17