Control File Access by IP in Apache 2.4
Apache, Security, Sysadmin
Denying access to wp-login.php for all but a set of whitelisted IP can be a good way of enhancing site security - provided that the client has a fixed IP address.
We typically add such access controls within a .htaccess file in the document root of a project, leaving login access for our own IP address and that of the site owner.
You might occasionally need to temporarily whitelist an additional IP address, but this is easy to do.
Restricting access by IP address is no substitute for a proper username/password policy - but it may be a useful additional layer, since would-be attackers don’t even get a chance to knock on the door.
Under Apache 2.2, you could use these directives within a .htaccess file:
# ==============================================================================
# Whitelisted IP access for wp-login.php
# ==============================================================================
<files wp-login.php>
order deny,allow
deny from all
# whitelist Your First IP address
allow from xxx.xxx.xxx.xxx
# whitelist Your Second IP Address
allow from xxx.xxx.xxx.xxx
# whitelist Your Third IP Address
allow from xxx.xxx.xxx.xxx
</files>
# ==============================================================================
# Protect specified files from direct access
# ==============================================================================
<FilesMatch "^(wp-config\.php|php\.ini|php5\.ini|install\.php|php\.info|readme\.html|bb-config\.php|\.htaccess|\.htpasswd|readme\.txt|timthumb\.php|error_log|error\.log|PHP_errors\.log|\.svn)">
Deny from all
</FilesMatch>Whilst the Allow, Order, and Deny directives still work in Apache 2.4, they are deprecated:
The Allow, Deny, and Order directives, provided by mod_access_compat, are deprecated and will go away in a future version. You should avoid using them, and avoid outdated tutorials recommending their use.
Unfortunately, there is not a lot of literature on how to properly set up such restrictions on Apache 2.4 - without relying on mod_access_compat.
Deny Access Completely
In Apache 2.2:
Order deny,allow
Deny from allIn Apache 2.4 this becomes:
Require all deniedRestrict Access by IP address: Comparison of Apache 2.2 and 2.4
Allow from a particular IP in Apache 2.2:
Order Deny,Allow
Deny from all
Allow from xxx.xxx.xxx.xxxAllow from a particular IP in Apache 2.4:
Require ip xxx.xxx.xxx.xxxTL;DR Restrict Access Apache 2.4
# ==============================================================================
# Restrict access to WordPress login page by IP
# See: http://httpd.apache.org/docs/2.4/mod/core.html#files
# ==============================================================================
<Files "wp-login.php">
Require ip 123.123.123.123
</Files>If you have full access to Apache config on your server, you can enable these directives for all virtual hosts by adding them to the Apache config file:
sudo nano /etc/apache2/conf-enabled/security.confResources
- One of the rare useful guides on access control in Apache 2.2 vs 2.4
- Apache 2.4. docs
- Apache 2.4 Require directive - maybe it’s because it’s Friday night after a long week, but this page made my brain hurt…
- A better resource on the Require directive
- <Files> Directive
- <FilesMatch> Directive
- Options directive
comments powered by Disqus