Lock WordPress login
Hi,
our server is under some DDoS attack and since they're hitting wp-login, I have decided to 403 all wp-login server-wide. So I have added this to /home/.htaccess:
Order allow,deny
Deny from all
Satisfy All
ErrorDocument 403 "403"
which works well. However, I want to be able to bypass it myself, so I have added my IP address (xxx.xxx.xxx.xxx), like so:
Order allow,deny
Deny from all
allow from xxx.xxx.xxx.xxx
Satisfy All
ErrorDocument 403 "403"
and it DOES NOT WORK, I still get a 403. What am I doing wrong???
-
Your "order" directive is wrong. set it to deny,allow since that is the order you made the actual rules, or change the rules to match your order directive (if it is set to allow,deny then you need the allow rule(s) on top of the deny rules). You also should not need the saitisfy all line. You may also have to specify a 401 errordocument, and perhaps a different directive for the 403 too such as: errordocument 403 default errordocument 401 default You could also consider using filesmatch instead of 'files' 0 -
thanks but no luck. If I change from 'Order allow,deny' to 'Order deny,allow' when I visit the sites I get a '500 Internal Server Error ' instead of the homepage. If I leave as it is and put allow from xxx.xxx.xxx.xxx at the top, I get the 500 error again. 0 -
Check your apache error log; it should tell you why the 500 is happening. All you need is this: order deny,allow deny from all allow from xxx.xxx.xxx.xxx0 -
didn't work but thanks, eventually I got it working with: Order allow,deny allow from xxx.xxx.xxx.xxx When using allow,deny, no deny is needed as it is a whitelist. 0 -
I tested the exact block of code I posted in a /home/.htaccess file to ensure it works. Regardless, glad you found something that worked for you. 0 -
Hello :) I'm happy to see you were able to find a working entry. Thank you for updating us with the outcome. 0
Please sign in to leave a comment.
Comments
6 comments