0

I am working on an eCommerce WordPress website, where I would like to restrict access to the WordPress Dashboard login screen. The restriction being that the Login page redirects to a 404.php file, for all IP addresses, other than those stipulated within the .htaccess file.

To achieve this, I have entered the following code into the .htaccess file:

ErrorDocument 401 /path-to-your-site/index.php?error=404
ErrorDocument 403 /path-to-your-site/index.php?error=404

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^xxx.xxx.xx.xxx$
RewriteCond %{REMOTE_ADDR} !^xxx.xxx.xx.xxx$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

I then ensured that the above mentioned .htcaccess file was placed within the root folder.

The above achieved what I was looking for, with one hitch ...

The website's shopping functionality is powered by WooCommerce. Visitors are able to create their own Customer Accounts. To problem, with the above code, becomes apparent when a Customer attempts to log out. Instead of being redirected to the Log Out/Registration page, they are redirected to the 404.php file; as per the above code.

Is there anyway I can modify the above code, so that the IP restriction remains for the WordPress login page, whilst Customer Account log outs not being affected?

Craig
  • 1,872
  • 5
  • 23
  • 56
  • WP handles the logout via that same script, so at most you could differentiate between different query string parameters … – CBroe Jul 24 '18 at 09:37
  • Thanks for your quick reply. My knowledge, with the `.htaccess` file is limited. Are you saying I would need to create a different landing page for WooCommerce Customer Logouts and then integrate this, into this `.htaccess` script? – Craig Jul 24 '18 at 09:43
  • No, I am saying the logout URL WP creates is of the form `wp-login.php?action=logout&_wpnonce=...`, so you could try and check for `action=logout` and let those requests through. – CBroe Jul 24 '18 at 09:47
  • Ok. Some further learning needed in how to implement this but thanks for the helpful directive. – Craig Jul 24 '18 at 09:51
  • You’re gonna need a RewriteCond to check for query string contents, see https://stackoverflow.com/questions/2252238 (And since your logic is already set up to _block_ on certain conditions, you might want to turn what I said last the other way around - and simply check whether the query string does _not_ contain `action=logout`, and in that case keep blocking. Easier than implementing “and let those requests through” in the above setup you already have.) – CBroe Jul 24 '18 at 09:54
  • After further reading, still not 100%. Thanks for your time, though. – Craig Jul 25 '18 at 15:03

1 Answers1

0

Try this Add this line your .htaccess file.

<Files wp-login.php>
order deny,allow
Deny from all

# allow access from my IP address
allow from 168.98.10.2

# allow access from my IP address
allow from 168.98.10.6
</Files>
VinothRaja
  • 1,405
  • 10
  • 21
  • Thanks for this suggestion. The only way I can get your suggestion to work, is to uninstall WooCommerce for some reason. – Craig Jul 25 '18 at 14:37