How can I restrict access to the WordPress Admin Login page, by IP address, without it affecting the Customer Logout process?

Multi tool use
Multi tool useThe name of the picture


How can I restrict access to the WordPress Admin Login page, by IP address, without it affecting the Customer Logout process?



I am working on an eCommerce WordPress website, where I would like to restrict access to the WordPress Dashboard login screen. The restriction being that the Login page redirects to a 404.php file, for all IP addresses, other than those stipulated within the .htaccess file.


404.php


.htaccess



To achieve this, I have entered the following code into the .htaccess file:


.htaccess


ErrorDocument 401 /path-to-your-site/index.php?error=404
ErrorDocument 403 /path-to-your-site/index.php?error=404

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^xxx.xxx.xx.xxx$
RewriteCond %{REMOTE_ADDR} !^xxx.xxx.xx.xxx$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>



I then ensured that the above mentioned .htcaccess file was placed within the root folder.


.htcaccess



The above achieved what I was looking for, with one hitch ...



The website's shopping functionality is powered by WooCommerce. Visitors are able to create their own Customer Accounts. To problem, with the above code, becomes apparent when a Customer attempts to log out. Instead of being redirected to the Log Out/Registration page, they are redirected to the 404.php file; as per the above code.


404.php



Is there anyway I can modify the above code, so that the IP restriction remains for the WordPress login page, whilst Customer Account log outs not being affected?





WP handles the logout via that same script, so at most you could differentiate between different query string parameters …
– CBroe
5 hours ago





Thanks for your quick reply. My knowledge, with the .htaccess file is limited. Are you saying I would need to create a different landing page for WooCommerce Customer Logouts and then integrate this, into this .htaccess script?
– Craig
5 hours ago


.htaccess


.htaccess





No, I am saying the logout URL WP creates is of the form wp-login.php?action=logout&_wpnonce=..., so you could try and check for action=logout and let those requests through.
– CBroe
5 hours ago


wp-login.php?action=logout&_wpnonce=...


action=logout





Ok. Some further learning needed in how to implement this but thanks for the helpful directive.
– Craig
5 hours ago





You’re gonna need a RewriteCond to check for query string contents, see stackoverflow.com/questions/2252238 (And since your logic is already set up to block on certain conditions, you might want to turn what I said last the other way around - and simply check whether the query string does not contain action=logout, and in that case keep blocking. Easier than implementing “and let those requests through” in the above setup you already have.)
– CBroe
5 hours ago


action=logout




1 Answer
1



Try this
Add this line your .htaccess file.


<Files wp-login.php>
order deny,allow
Deny from all

# allow access from my IP address
allow from 168.98.10.2

# allow access from my IP address
allow from 168.98.10.6
</Files>






By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

7BXOhljlJSlEcDJl0v2FFPo4
-
N4 PGXK sLLDX8GI0W6porDQ3,e Gm,A8mSmkZrm6M221LSr0hpO0Y,QRzKxyihfEQQlg

Popular posts from this blog

Keycloak server returning user_not_found error when user is already imported with LDAP

Keycloak server returning user_not_found error when user is already imported with LDAP I am currently running a keycloak server as a service in a kubernetes cluster. I can access it perfectly with the initial keycloak admin account and used it to setup a new realm using LDAP for User Federation. The connection and queries seem to work fine as a I can search for Users and they pop up with their correct username, first name, last name and e-mail so all seemed fine. When I then log out and try to log in with a normal user account that exists in the AD and has been imported I just find get the following error: WARN [org.keycloak.events] (default task-8) type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, userId=null, ipAddress=<my ip>, error=user_not_found, auth_method=openid-connect, auth_type=code, redirect_uri=http://myserver.com/auth/admin/master/console/#/realms/MyRealm, code_id=a8ca7f06-dfec-4e6e-8f6b-74eb871f71da, username=myUser So it seems that in some way wh...
Read more

PHP parse/syntax errors; and how to solve them?

Image
PHP parse/syntax errors; and how to solve them? Everyone runs into syntax errors. Even experienced programmers make typos. For newcomers it's just part of the learning process. However, it's often easy to interpret error messages such as: PHP Parse error: syntax error, unexpected '{' in index.php on line 20 The unexpected symbol isn't always the real culprit. But the line number gives a rough idea where to start looking. Always look at the code context . The syntax mistake often hides in the mentioned or in previous code lines . Compare your code against syntax examples from the manual. While not every case matches the other. Yet there are some general steps to solve syntax mistakes . This references summarized the common pitfalls: Unexpected T_STRING Unexpected T_VARIABLE Unexpected '$varname' (T_VARIABLE) Unexpected T_CONSTANT_ENCAPSED_STRING Unexpected T_ENCAPSED_AND_WHITESPACE Unexpected $end Unexpected T_FUNCTION… Unexpected { { Unexpected } } Unexpe...
Read more

415 Unsupported Media Type while sending json file over REST Template

Image
Clash Royale CLAN TAG#URR8PPP 415 Unsupported Media Type while sending json file over REST Template I am trying to send a json file over REST Template. When I send it via POST man as MULTIPART_FORM_DATA, it works fine. The name I am supposed to give is specific (lets say aaa ). Attached screenshot of POSTMAN. But when I try same in code as specified in another stackoverflow post, I get 415 Unsupported Media Type error as org.springframework.web.client.HttpClientErrorException: 415 Unsupported Media Type at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:91) ~[spring-web-4.1.9.RELEASE.jar:4.1.9.RELEASE] at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:616) ~[spring-web-4.1.9.RELEASE.jar:4.1.9.RELEASE] at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:572) ~[spring-web-4.1.9.RELEASE.jar:4.1.9.RELEASE] at org.springframework.web.client.RestTemplate.execute(RestT...
Read more