Skip to content

Instantly share code, notes, and snippets.

Created Aug 6, 2014
What would you like to do?
Blocking access to wp-login.php in an nginx->apache environment
# BEGIN Custom Login Restriction
<Files wp-login.php>
# ==== ! Important ! ==== #
# Do not leave the regexps below as they are. You will need to modify them to match your
# internal IP addresses/ranges
# ==== ! Important ! ==== #
# Change the regexp below to match your internal IP addresses
# In this example, we're matching anything that begins with 255., and allowing any
# IP address within that range. You can modify the regexp as needed
# These lines are formatted as follows:
# SetEnvIf X-Forwarded-For [IP RegExp] [Variable Name]
SetEnvIf X-Forwarded-For ^255\.\d{1,3}\.\d{1,3}\.\d{1,3} AllowWPAdminAccess
# If you need to allow access from more than one range of IPs, you can specify
# alternative IP addresses/ranges through additional regexps
SetEnvIf X-Forwarded-For ^127\.\d{1,3}\.\d{1,3}\.\d{1,3} AllowAccessAlt
# Leave the following two lines exactly as they are
Order Deny,Allow
Deny from all
# Change the env=[varname] as necessary to match the variable names you
# assigned above.
# You can separate multiple variable names by using a space between them
# If you use any separator other than a space, this won't work properly
Allow from env=AllowAccessAlt env=AllowWPAdminAccess
# If you would like to point the user to a custom error page when they
# attempt to login from outside of your firewall, specify that here
# I have not tested enough to know whether this ErrorDocument directive
# affects only unauthorized access to wp-login.php, or if it takes
# over all 403 errors on the website. It should, theoretically,
# only take effect when users attempt to access wp-login.php
ErrorDocument 403 /403.html
# END Custom Login Restriction
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment