Limiting the access to /wp-admin/ for the whole server

Greg · Dec 15, 2014

I want to limit the access to /wp-admin/ to specific IPs or even localhost

it's described here

http://codex.wordpress.org/Brute_Force_Attacks#Limit_Access_to_wp-admin_by_IP

but that seems to be for individual site

I want to make it server wide.

So obviosly i would put the .htaccess file in the main web dir but how to make the path so it affects */wp-admin/* for all sites below

RTGHM · Dec 15, 2014

Just some of the many ways to do this:

If doing directory, then just add lines like Allow from x.x.x.x (replace x.x.x.x to IP address), etc.

OPTION 1: PREVENT DIRECTORY BROWSING

Options All -Indexes

OPTION 2:

IF YOU HAVE SPECIFIC FILES:

NOTE: you'll want to change .php part - this is just a example

<Files ~ "'\.php$">

Order allow,deny

Deny from all

</Files>

OPTION 3:

IF DIRECTORY:

<Directory ~ "\wp-admin">

Order allow,deny

Deny from all

</Directory>

OR

RewriteRule ^(.*/)?\\wp-admin/ - [F,L]

OR

RedirectMatch 404 /\\wp-admin(/!$)

k0nsl · Dec 15, 2014

What HTTPd are you running, to begin with?

[EDIT]

Nevermind. Apache, obviously. :blush:

Greg · Dec 16, 2014

nginx for static and the dynaminc is forwarded to apache

SentinelTower · Dec 17, 2014

Greg said:
nginx for static and the dynaminc is forwarded to apache

Hi,

What is your nginx configuration?

You should be able to create a location block which should look like this (I am unsure about the regex):

location ~ /wp-admin {

allow YOUR_IP;

deny all;

}

Greg · Dec 17, 2014

Hey thanks, that sounds like a nice way to do it

here is my nginx template

http://c.vestacp.com/0.9.8/rhel/templates/web/nginx/default.tpl

and just in case here is my apache one

http://c.vestacp.com/0.9.8/rhel/templates/web/httpd/default.tpl

SentinelTower · Dec 18, 2014

Well you can try this block (quick and dirty) under your "location / { ... }" block:

Code:

location ~ /wp-admin {

    allow YOUR_IP;

    deny all;

    

    proxy_pass      http://%ip%:%web_port%;

    location ~* ^.+\.(%proxy_extentions%)$ {

        root           %docroot%;

        access_log     /var/log/httpd/domains/%domain%.log combined;

        access_log     /var/log/httpd/domains/%domain%.bytes bytes;

        expires        max;

        try_files      $uri @fallback;

    }

}

RTGHM · Dec 18, 2014

Alternatively, you just just do a php script that loops every folder, sub-folder, looks for wp-admin, if it finds wp-admin, it changes directory, writes a .htaccess to allow just your ip in, deny everyone else, etc. (not good idea though)

Greg · Dec 18, 2014

SentinelTower said:
Well you can try this block (quick and dirty) under your "location / { ... }" block:

location ~ /wp-admin {

    allow YOUR_IP;

    deny all;



   proxy_pass      http://%ip%:%web_port%;

   location ~* ^.+\.(%proxy_extentions%)$ {

       root           %docroot%;

       access_log     /var/log/httpd/domains/%domain%.log combined;

       access_log     /var/log/httpd/domains/%domain%.bytes bytes;

       expires        max;

       try_files      $uri @fallback;

   }

}

thanks dude! That looks like great, simple and quick way to solve this otherwise huge issue.

Are there any drawbacks to it since you mentioned dirty?

SentinelTower · Dec 19, 2014

Greg said:
thanks dude! That looks like great, simple and quick way to solve this otherwise huge issue.

Are there any drawbacks to it since you mentioned dirty?

Well, there is probably a way to do it without repeating the inner location block but if the regex is correct this is probably a cleaner way than a .htaccess or a phpscript

Greg · Dec 20, 2014

ok i'll be trying it shortly and will report back

Greg · Dec 20, 2014

well after adding it i rebuilded the conf for one of the sites and when tried to restart nginx i got

service nginx start
nginx: [emerg] "location" directive is not allowed here in /home/admin/conf/web/nginx.conf:1915

seems that where it adds the confs for all the sites

even reverting to the original template couldn't really fix it so i'm restoring a backup right now becaue everything is down

Greg · Dec 20, 2014

it actually works

in the hurry i've missed that you've missed a bracket

here is the whole template for anyone else that might need solution to this problem

server {
listen %ip%:%proxy_port%;
server_name %domain_idn% %alias_idn%;
error_log /var/log/%web_system%/domains/%domain%.error.log error;

location / {

location ~ wp-login.php {

allow 127.0.0.1;

deny all; }

proxy_pass http://%ip%:%web_port%;
location ~* ^.+\.(%proxy_extentions%)$ {
root %docroot%;
access_log /var/log/%web_system%/domains/%domain%.log combined;
access_log /var/log/%web_system%/domains/%domain%.bytes bytes;
expires max;
try_files $uri @fallback;
}
}

location /error/ {
alias %home%/%user%/web/%domain%/document_errors/;
}

location @fallback {
proxy_pass http://%ip%:%web_port%;
}

location ~ /\.ht {return 404;}
location ~ /\.svn/ {return 404;}
location ~ /\.git/ {return 404;}
location ~ /\.hg/ {return 404;}
location ~ /\.bzr/ {return 404;}

disable_symlinks if_not_owner from=%docroot%;

include %home%/%user%/conf/web/nginx.%domain%.conf*;
}

this is hosting.tpl nginx template from vestacp

i did the testing wiht it so i don't mess the default.tpl template

this is supposed to allow only localhost be able to log-in to WP

pretty tight security

Greg · Dec 21, 2014

if someone has suggestions to improve it even further please post

Limiting the access to /wp-admin/ for the whole server

Greg

New Member

RTGHM

New Member

k0nsl

Bad Goy

Greg

New Member

SentinelTower

New Member

Greg

New Member

SentinelTower

New Member

RTGHM

New Member

Greg

New Member

SentinelTower

New Member

Greg

New Member

Greg

New Member

Greg

New Member

Greg

New Member