I have a few websites which use the following code to restrict the admin area. So far have not found a better solution than this.
##> COMMENT - WordPress Admin Area Passwords
location ^~ /wp-admin/ {
auth_basic "Restricted Access";
auth_basic_user_file /home/bea/panel/security/.htpasswd;
location ~ .php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.3-fpm-website123.com.sock;
}
}
We are using a plug-in that allows users to see and under construction page but provides a login to allow website owner to view their website while it is being built. Have a look at the image below.
As you can see below the user is prompted to fill in a password to access the website but also they are prompted to fill in the username and password to access the admin area. this pop-up only comes up when the user has put in a password to access the website and clicks on "Access the site".
After contacting the plug-in creator, they suggested to exclude wp-admin/admin-ajax.php
?
Or is there a better practice to follow. I have noticed from time to time that some plug-ins require access to the admin area to function correctly.
I may have found a solution:
##> COMMENT – WordPress Admin Area Password, usally for LIVE sites
location /wp-admin {
location ~ /wp-admin/admin-ajax.php$
{
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.3-fpm-WEBSITE.tv.com.sock;
}
location ^~ /wp-admin/ {
auth_basic "Restricted Access";
auth_basic_user_file /home/user/panel/security/._htpasswd;
}
location ~ .php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.3-fpm-WEBSITE.tv.sock;
}
}
I just want somebody to validate the code above and check that it is secure? I’m still willing to offer a bounty to validate its level of security.
2
Answers
After playing around for many hours I have found a working solution but I am not quite sure if it is secure?
But it is a working solution
I think something like below should do the job for you