skip to Main Content

We’ve tried a few things that we found around Google for this, but can’t seem to get anything to work.

The Problem

We have a server with around 500 WordPress websites on it. We’re trying to lock down all the wp-login.php pages for every instance to the IP address of our office using a global htaccess – but the individual WordPress htaccess files are overriding this.

The Environment

We’re hosted on an AWS Linux server running Plesk to manage each website / WordPress instance.

The Question

Is there a way we can set one htaccess file on the server to lock down all of the WordPress login pages without the individual htaccess files overriding this?


any help or suggestions for a good way to do this, would be appreciated.

Thanks in advance

2

Answers


  1. Chosen as BEST ANSWER

    I ended up getting this to work with your first suggestion, but actually without the SetEnvIf line being required, so thanks very much! this was my .htaccess in the /var/www/vhosts folder for anyone else needing this:

    <files wp-login.php>
      order deny,allow
      deny from all
      Allow from xxx.xxx.xxx.xxx
    </files>
    

    Nice and simple and completely different from the previous routes I was trying to take for this.


  2. I assume that you have read up on the RewriteOptions directive. As I explain in Tips for debugging .htaccess rewrite rules and as you have found with WP which generates its own .htaccess files, by default the current path is scanned for .htaccess and the rewrite rules in the lowest are applied unless a higher one specifies a RewriteOptions Inherit in which case it’s rules are executed after rules specified in the child scope, and this is the catch-22 in that WP access file generates a [L] flag on all its execution paths preventing the parent rules from firing.

    So the answer is to do this with an Apache mechanism other than rewrite and you can use the SetEnvIf directive:

    SetEnvIf Remote_Addr "!^192.168." forbidden
    <Files *>
      Order allow,deny
      Allow from all
      Deny from env=forbidden
    </Files> 
    

    or

    SetEnvIf Remote_Addr "!^192.168." forbidden
    <Directory /var/www/wproot>
      Order allow,deny
      Allow from all
      Deny from env=forbidden
    </Directory> 
    

    Clearly you’ll need to change the Regexp to your local needs but this should do the biz. The Apache docs give other variants on this, but you should be able to find one which works in your case. Just put this in the a per-virtual server context — within a Directory(Match) directive if necessary — or in a common parent directory .htaccess file.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search