Limiting the access to /wp-admin/ for the whole server

[Greg]

I want to limit the access to /wp-admin/ to specific IPs or even localhost

it's described here

http://codex.wordpress.org/Brute_Force_Attacks#Limit_Access_to_wp-admin_by_IP

but that seems to be for individual site

I want to make it server wide.

So obviosly i would put the .htaccess file in the main web dir but how to make the path so it affects */wp-admin/* for all sites below

 

[RTGHM]

Just some of the many ways to do this:

If doing directory, then just add lines like Allow from x.x.x.x (replace x.x.x.x to IP address), etc.

OPTION 1: PREVENT DIRECTORY BROWSING

Options All -Indexes

OPTION 2:

IF YOU HAVE SPECIFIC FILES:

NOTE: you'll want to change .php part - this is just a example

<Files ~ "'\.php$">

Order allow,deny

Deny from all

</Files>

OPTION 3:

IF DIRECTORY:

<Directory ~ "\wp-admin">

Order allow,deny

Deny from all

</Directory>

OR

RewriteRule ^(.*/)?\\wp-admin/ - [F,L]

OR

RedirectMatch 404 /\\wp-admin(/!$)

 

[k0nsl]

What HTTPd are you running, to begin with? 

[EDIT]

Nevermind. Apache, obviously.  :blush: 

 

[Greg]

nginx for static and the dynaminc is forwarded to apache

 

[SentinelTower]

nginx for static and the dynaminc is forwarded to apache

Hi,

What is your nginx configuration?

You should be able to create a location block which should look like this (I am unsure about the regex):

location ~ /wp-admin {

    allow YOUR_IP;

    deny all;

}

 

[Greg]

Hey thanks, that sounds like a nice way to do it

here is my nginx template

http://c.vestacp.com/0.9.8/rhel/templates/web/nginx/default.tpl

and just in case here is my apache one

http://c.vestacp.com/0.9.8/rhel/templates/web/httpd/default.tpl

 

[SentinelTower]

Well you can try this block (quick and dirty) under your "location / { ... }" block:

location ~ /wp-admin {

    allow YOUR_IP;

    deny all;

    

    proxy_pass      http://%ip%:%web_port%;

    location ~* ^.+\.(%proxy_extentions%)$ {

        root           %docroot%;

        access_log     /var/log/httpd/domains/%domain%.log combined;

        access_log     /var/log/httpd/domains/%domain%.bytes bytes;

        expires        max;

        try_files      $uri @fallback;

    }

}

 

[RTGHM]

Alternatively, you just just do a php script that loops every folder, sub-folder, looks for wp-admin, if it finds wp-admin, it changes directory, writes a .htaccess to allow just your ip in, deny everyone else, etc. (not good idea though)

 

[Greg]

Well you can try this block (quick and dirty) under your "location / { ... }" block:


location ~ /wp-admin {

    allow YOUR_IP;

    deny all;

    

    proxy_pass      http://%ip%:%web_port%;

    location ~* ^.+\.(%proxy_extentions%)$ {

        root           %docroot%;

        access_log     /var/log/httpd/domains/%domain%.log combined;

        access_log     /var/log/httpd/domains/%domain%.bytes bytes;

        expires        max;

        try_files      $uri @fallback;

    }

}

thanks dude! That looks like great, simple and quick way to solve this otherwise huge issue.

Are there any drawbacks to it since you mentioned dirty?

 

[SentinelTower]

thanks dude! That looks like great, simple and quick way to solve this otherwise huge issue.

Are there any drawbacks to it since you mentioned dirty?

Well, there is probably a way to do it without repeating the inner location block but if the regex is correct this is probably a cleaner way than a .htaccess or a phpscript

 

[Greg]

ok i'll be trying it shortly and will report back

 

[Greg]

well after adding it i rebuilded the conf for one of the sites and when tried to restart nginx i got

 service nginx start
nginx: [emerg] "location" directive is not allowed here in /home/admin/conf/web/nginx.conf:1915

seems that where it adds the confs for all the sites

even reverting to the original template couldn't really fix it so i'm restoring a backup right now becaue everything is down
 

 

[Greg]

it actually works

in the hurry i've missed that you've missed a bracket

here is the whole template for anyone else that might need solution to this problem


server {
listen %ip%:%proxy_port%;
server_name %domain_idn% %alias_idn%;
error_log /var/log/%web_system%/domains/%domain%.error.log error;

location / {


location ~ wp-login.php {

allow 127.0.0.1;

deny all; }


proxy_pass http://%ip%:%web_port%;
location ~* ^.+\.(%proxy_extentions%)$ {
root %docroot%;
access_log /var/log/%web_system%/domains/%domain%.log combined;
access_log /var/log/%web_system%/domains/%domain%.bytes bytes;
expires max;
try_files $uri @fallback;
}
}

location /error/ {
alias %home%/%user%/web/%domain%/document_errors/;
}

location @fallback {
proxy_pass http://%ip%:%web_port%;
}

location ~ /\.ht {return 404;}
location ~ /\.svn/ {return 404;}
location ~ /\.git/ {return 404;}
location ~ /\.hg/ {return 404;}
location ~ /\.bzr/ {return 404;}

disable_symlinks if_not_owner from=%docroot%;

include %home%/%user%/conf/web/nginx.%domain%.conf*;
}


this is hosting.tpl nginx template from vestacp

i did the testing wiht it so i don't mess the default.tpl template

this is supposed to allow only localhost be able to log-in to WP

pretty tight security

 

[Greg]

if someone has suggestions to improve it even further please post