The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Lock WordPress login

Discussion in 'Security' started by ahead, Jul 11, 2015.

  1. ahead

    ahead Registered

    Joined:
    Jul 11, 2015
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Ireland
    cPanel Access Level:
    Root Administrator
    Hi,
    our server is under some DDoS attack and since they're hitting wp-login, I have decided to 403 all wp-login server-wide. So I have added this to /home/.htaccess:

    <Files ~ "^wp-login.php">
    Order allow,deny
    Deny from all
    Satisfy All
    </Files>
    ErrorDocument 403 "403"

    which works well. However, I want to be able to bypass it myself, so I have added my IP address (xxx.xxx.xxx.xxx), like so:

    <Files ~ "^wp-login.php">
    Order allow,deny
    Deny from all
    allow from xxx.xxx.xxx.xxx
    Satisfy All
    </Files>
    ErrorDocument 403 "403"

    and it DOES NOT WORK, I still get a 403. What am I doing wrong???
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Your "order" directive is wrong. set it to deny,allow since that is the order you made the actual rules, or change the rules to match your order directive (if it is set to allow,deny then you need the allow rule(s) on top of the deny rules). You also should not need the saitisfy all line.

    You may also have to specify a 401 errordocument, and perhaps a different directive for the 403 too such as:
    errordocument 403 default
    errordocument 401 default

    You could also consider using filesmatch instead of 'files'
     
  3. ahead

    ahead Registered

    Joined:
    Jul 11, 2015
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Ireland
    cPanel Access Level:
    Root Administrator
    thanks but no luck. If I change from 'Order allow,deny' to 'Order deny,allow' when I visit the sites I get a '500 Internal Server Error ' instead of the homepage. If I leave as it is and put allow from xxx.xxx.xxx.xxx at the top, I get the 500 error again.
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Check your apache error log; it should tell you why the 500 is happening.

    All you need is this:
    Code:
    <FilesMatch wp-login.php>
    order deny,allow
    deny from all
    allow from xxx.xxx.xxx.xxx
    </FilesMatch>
    
     
  5. ahead

    ahead Registered

    Joined:
    Jul 11, 2015
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Ireland
    cPanel Access Level:
    Root Administrator
    didn't work but thanks, eventually I got it working with:
    <Files ~ "^wp-login.php">
    Order allow,deny
    allow from xxx.xxx.xxx.xxx
    </Files>
    When using allow,deny, no deny is needed as it is a whitelist.
     
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    I tested the exact block of code I posted in a /home/.htaccess file to ensure it works. Regardless, glad you found something that worked for you.
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page