How to limit webpage access by a specific IP address

How to limit webpage access by a specific IP address

Mon 15 April 13 Comments are Closed

There are times for security reasons when you might want to limit access to a specific file or directory by IP address.  One reason to do this would be to protect your WordPress installation, by limiting access to the wp-login.php script.  Adding the following to your webpage root .htaccess file and it will limit access to the wp-login script to a single IP address:

(ensuring you replace 100.100.100.101 with your own IP address)

<FilesMatch "^wp-login.php$">
	Order Deny,Allow
	Allow from 100.100.100.101
	Deny from all
</FilesMatch>

Or to protect the administrator login page for Joomla instead of WordPress add:

<FilesMatch "^administrator/index.php$">
	Order Deny,Allow
	Allow from 100.100.100.101
	Deny from all
</FilesMatch>

Additionally you can protect all files within a specific directory by putting the .htaccess file in the directory (for example /wp-admin/ directory in the case of WordPress) you want to protect with the following:

Order Deny,Allow
Deny from all
Allow from 100.100.100.100
  • Optional: You can enter partial IP Addresses, such as, 100.100.100. This allows access to a range of addresses.
  • Optional: You can add multiple addresses by separating them with comma’s.
100.100.100.101, 100.100.100.102

You can also accomplish the above by using rewrite rules inside the .htaccess file, for example:

Single IP address access

To allow access from a single IP address, replace 123\.123\.123\.123 with your own IP address:

RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
 RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
 RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
 RewriteRule ^(.*)$ - [R=403,L]

Multiple IP address access

To allow access from multiple IP addresses, replace 123\.123\.123\.xxx with your own IP addresses:

RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
 RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
 RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.121$
 RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.122$
 RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
 RewriteRule ^(.*)$ - [R=403,L]

If your IP address changes, or you have a very large amount of possible IPs you’re connecting from, you can protect your WordPress site by only allowing login requests coming directly from your domain name. Simply replace example\.com with your own domain name

RewriteCond %{REQUEST_METHOD} POST
 RewriteCond %{HTTP_REFERER} !^http://(.*)?example\.com[NC]
 RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
 RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
 RewriteRule ^(.*)$ - [F]

 

Rate This Entry:
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...
Share
Categories
Tags
  • There are no tags for this post
lance

back to top
×