Denying access to
wp-login.php for all but a set of whitelisted IP can be a good way of enhancing site security - provided that the client has a fixed IP address.
We typically add such access controls within a
.htaccess file in the document root of a project, leaving login access for our own IP address and that of the site owner.
You might occasionally need to temporarily whitelist an additional IP address, but this is easy to do.
Restricting access by IP address is no substitute for a proper username/password policy - but it may be a useful additional layer, since would-be attackers don’t even get a chance to knock on the door.
Under Apache 2.2, you could use these directives within a
Deny directives still work in Apache 2.4, they are deprecated:
The Allow, Deny, and Order directives, provided by mod_access_compat, are deprecated and will go away in a future version. You should avoid using them, and avoid outdated tutorials recommending their use.
Unfortunately, there is not a lot of literature on how to properly set up such restrictions on Apache 2.4 - without relying on
Deny Access Completely
In Apache 2.2:
In Apache 2.4 this becomes:
Restrict Access by IP address: Comparison of Apache 2.2 and 2.4
Allow from a particular IP in Apache 2.2:
Allow from a particular IP in Apache 2.4:
TL;DR Restrict Access Apache 2.4
If you have full access to Apache config on your server, you can enable these directives for all virtual hosts by adding them to the Apache config file:
- One of the rare useful guides on access control in Apache 2.2 vs 2.4
- Apache 2.4. docs
- Apache 2.4 Require directive - maybe it’s because it’s Friday night after a long week, but this page made my brain hurt…
- A better resource on the Require directive
- <Files> Directive
- <FilesMatch> Directive
- Options directive
comments powered by Disqus