2012年12月28日 星期五

Securing WordPress Dashboard using .htaccess behind CloudFlare (or any other CDN)


You may wish to increase the security of your WordPress blog by doing this, or you may not. It’s a matter of preference. Before today I never bothered, but since I wanted to figure out how it can be done, now it makes no sense to remove the extra security.
In all cases, there are 2 areas that can be locked down from 2 separate .htaccess files. These are:
  • /wordpress/.htaccess to secure the wp-login.php file (used to log in).
  • /wordpress/wp-admin/.htaccess to secure everything under the wp-admin directory.
I want to allow only a few IP addresses to be able to access these areas. This is how it’s done without a cloud:
1
2
3
4
5
6
7
# add the following lines to /wordpress/.htaccess
<Files wp-login.php>
    order deny,allow
    deny from all
    allow from 93.75.252.219
    allow from 110.170.50.32
</Files>
1
2
3
4
5
# add the following lines to /wordpress/wp-admin/.htaccess
order deny,allow
deny from all
allow from 93.75.252.219
allow from 110.170.50.32
Access to the login and admin areas of your website are now restricted to only the IPs you allow. If however, you are using a service like CloudFlare, the above will not work because apache can’t see your (the visitor’s) IP address. Let’s fix this:
1
2
3
4
5
6
7
8
# add the following lines to /wordpress/.htaccess
<Files wp-login.php>
    SetEnvIf X-FORWARDED-FOR 93.75.252.219 allowedip
    SetEnvIf X-FORWARDED-FOR 110.170.50.32 allowedip
    order deny,allow
    deny from all
    allow from env=allowedip
</Files>
1
2
3
4
5
6
# add the following lines to /wordpress/wp-admin/.htaccess
SetEnvIf X-FORWARDED-FOR 93.75.252.219 allowedip
SetEnvIf X-FORWARDED-FOR 110.170.50.32 allowedip
order deny,allow
deny from all
allow from env=allowedip
Apache is now reading your IP address and setting the allowedip environment variable which is then whitelisted on the last line.
Note that you should *not* rely on this security measure alone since an IP address you have whitelisted can and may be spoofed. Always monitor your access logs and combine this with other security methods (such as basic authentication for example) to further increase security.


Source: http://blog.ergatides.com/2011/09/07/securing-wordpress-dashboard-using-htaccess-behind-cloudflare-or-any-other-cdn/#ixzz2GKPcUHyG

沒有留言:

張貼留言

歡迎熱愛 Puzzle and Dragons 的玩家一起上來討論及研究各種降臨打法。

進擊的 Puzzle and Dragons Facebook 專頁現已開幕 ~ 歡迎大家上去追查各種新舊貼。 Enjoy your Puzzle and Dragons