Limit admin access by IP – but all for subscribers – PLEASE HELP

Hi,

I have a membership site where users that subscribe are automatically categorized as Subscribers and I have limited the amount of control and visibility they have.

Is there a way to limit ADMIN to the wordpress site by IP Address, but somehow still allow all users that are categorized as subscribers to log in from any ip address?

I added the code below to my htaccess file, but that doesn’t allow my subscribers to log in anymore from their own ip addresses, since it still goes through wp-login.php.

<files wp-login.php>

order deny,allow

deny from all

# whitelist Your First IP address

allow from xx.xx.xx.xx

</files>

I would really really appreciate some help to figure out if it is possible and if so, HOW, to limit the admin user (as categorized as “admin” in the users list within the admin wordpress panel) to a certain IP address, but still allow all who are categorized as “Subscribers” access from any ip address.

Thank you in advance.

  • aecnu
    • WP Unicorn

    Greetings NicoleElmore,

    Thank you for the great question and idea which I do not believe is possible due to the determination of who is admin and who is not is determined after log in and not prior to thereof.

    I have researched this significantly today in light of your question and though I have found many ways to block IP’s I cannot find one to filter them to admin functions only with the exception of the below htaccess script:

    When you need to block access to a wordpress path e.g. yourdomain.com/wp-admin

    # Path of page you want to restrict
    RewriteCond %{REQUEST_URI} ^/wp-admin/$ [NC]
    # IP you want to allow
    RewriteCond %{REMOTE_ADDR} !^127.0.0.1
    # Send all other IPs somewhere else
    RewriteRule ^(.*) http://fail.com/ [R,L]

    Please let me know if this works for you.

    Cheers, Joe

  • aecnu
    • WP Unicorn

    Greetings NicoleElmore,

    Thank you for letting me know and sorry that it did not work out as anticipated and doing more research into the subject I found the reason that it did not work is because we cannot simply block access to everything in /wp-admin/ because the directory contains the WordPress installations AJAX handler.

    The AJAX handler is what allows users on the WordPress website to perform application functions without a full page reload occurring. E.g. when you click a button and see a rotating “loading” icon, that is usually an AJAX call.

    If you simply block the whole of /wp-admin/ with a password, you will break any plugin or theme that uses AJAX for users who are not logged in.

    To work around this, you can whitelist your ajax handler as follows:

    http://kuttler.eu/post/htaccess-protect-wordpress-admin/

    That should do the job for you.

    Thank you for being a WPMU DEV Community Member!

    Cheers, Joe

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.