Dev Notes

Various Cheat Sheets and Resources by David Egan/Carawebs.

Control File Access by IP in Apache 2.4


Apache, Security, Sysadmin
David Egan

Denying access to wp-login.php for all but a set of whitelisted IP can be a good way of enhancing site security - provided that the client has a fixed IP address.

We typically add such access controls within a .htaccess file in the document root of a project, leaving login access for our own IP address and that of the site owner.

You might occasionally need to temporarily whitelist an additional IP address, but this is easy to do.

Restricting access by IP address is no substitute for a proper username/password policy - but it may be a useful additional layer, since would-be attackers don’t even get a chance to knock on the door.

Under Apache 2.2, you could use these directives within a .htaccess file:

# ==============================================================================
# Whitelisted IP access for wp-login.php
# ==============================================================================
<files wp-login.php>
order deny,allow
deny from all

# whitelist Your First IP address
allow from xxx.xxx.xxx.xxx
# whitelist Your Second IP Address
allow from xxx.xxx.xxx.xxx
# whitelist Your Third IP Address
allow from xxx.xxx.xxx.xxx

</files>

# ==============================================================================
# Protect specified files from direct access
# ==============================================================================
<FilesMatch "^(wp-config\.php|php\.ini|php5\.ini|install\.php|php\.info|readme\.html|bb-config\.php|\.htaccess|\.htpasswd|readme\.txt|timthumb\.php|error_log|error\.log|PHP_errors\.log|\.svn)">
Deny from all
</FilesMatch>

Whilst the Allow, Order, and Deny directives still work in Apache 2.4, they are deprecated:

The Allow, Deny, and Order directives, provided by mod_access_compat, are deprecated and will go away in a future version. You should avoid using them, and avoid outdated tutorials recommending their use.

-Apache 2.4 Documentation

Unfortunately, there is not a lot of literature on how to properly set up such restrictions on Apache 2.4 - without relying on mod_access_compat.

Deny Access Completely

In Apache 2.2:

Order deny,allow
Deny from all

In Apache 2.4 this becomes:

Require all denied

Restrict Access by IP address: Comparison of Apache 2.2 and 2.4

Allow from a particular IP in Apache 2.2:

Order Deny,Allow
Deny from all
Allow from xxx.xxx.xxx.xxx

Allow from a particular IP in Apache 2.4:

Require ip xxx.xxx.xxx.xxx

TL;DR Restrict Access Apache 2.4

# ==============================================================================
# Restrict access to WordPress login page by IP
# See: http://httpd.apache.org/docs/2.4/mod/core.html#files
# ==============================================================================
<Files "wp-login.php">
    Require ip 123.123.123.123
</Files>

If you have full access to Apache config on your server, you can enable these directives for all virtual hosts by adding them to the Apache config file:

sudo nano /etc/apache2/conf-enabled/security.conf

Resources


comments powered by Disqus