How do I make my WordPress site an Intranet site

Posted on 2016-07-30
Medium Priority
Last Modified: 2016-08-01
Hi All

I am developing a knowledge base for work and want some advice on how to make the site a secure Intranet as never done this before.

I assume the site will still sit on a web server in the public domain and them access is restricted by domain or IP addressing a bit like a home router.

Or do I run the site on a localhost at work and the access is limited that way.

I have discovered a few potential limitations of localhost such as using google doc embedding on some pages so this i'm sure will be a learning  process

Any advice will be appreciated
Question by:IM&T SRFT
LVL 84

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 248 total points
ID: 41735930
I have several Wordpress site here on my local network.  I access them by machine name and/or IP address, 'localhost' is useless because that restricts access to the machine where the site is installed.

Wordpress requires PHP and MySQL to run.  You can install WAMP or XAMPP on one of your local machines to run Wordpress.  They both include PHP and MySQL.  That will keep it local so that outsiders can't see it.
LVL 30

Assisted Solution

by:Britt Thompson
Britt Thompson earned 248 total points
ID: 41735938
Wordpress is a security nightmare so definitely don't put a Wordpress intranet on a public domain. I'd suggest using Sharepoint 2013 Foundation as an intranet since it's free and designed to operate as such. Sharepoint has quite a bit more management and configuration overhead though.

Accepted Solution

Branislav Borojevic earned 1008 total points
ID: 41735941
This can help you achieve the desired outcome: https://wordpress.org/plugins/restricted-site-access/Restricted Site Access for WordPress

Using Restricted Site Access plugin, you can restrict access to a WordPress site for logged in users only or for users with specific IP addresses, which would be the case in your example. You can also choose to redirect users with no access to the site by sending them to the login page, redirect to another web address, show them a custom message, or even redirect them to a specific page. Restrict by IP feature is very useful if you want multiple employees in the office to have access to the development project without requiring them to register as a user.

Additionally, you can always add statements to your .htaccess file in the website root, and specify exactly what IP addresses can access the website, and the rest will get an error.

ErrorDocument 401 /path-to-your-site/index.php?error=404
ErrorDocument 403 /path-to-your-site/index.php?error=404

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?index\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^IP Address One$
RewriteCond %{REMOTE_ADDR} !^IP Address Two$
RewriteCond %{REMOTE_ADDR} !^IP Address Three$
RewriteRule ^(.*)$ - [R=403,L]

Open in new window

Just edit lines to add the IP addresses that need access to the admin dashboard and login page replacing IP Address “One,” “Two” and “Three” in the example above.

You can delete two of those lines if you only need to add one IP address or copy and paste them to add more to the list.

When an unauthorized visitor tries to access that page, they’ll see your current theme’s 404.php file.
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

LVL 70

Assisted Solution

by:Jason C. Levine
Jason C. Levine earned 248 total points
ID: 41735961
There's another good way to restrict access to a WordPress site, but only if your organization uses Google Apps.


That plugin restricts access to the site and also ties logins to existing Google Apps accounts. We use it to keep an intranet on the public web and it's great.

Author Comment

ID: 41736071
Thank you for the comments so far, so if I were to restrict to a specific domain name or IP that would be secure? I have slso found an active directory plugin which enables you to specify only users within a specified organisationsl unit to be a member, does that sound about right?  Renazonce i take your comment on board as this site must be secure 100%
LVL 111

Assisted Solution

by:Ray Paseur
Ray Paseur earned 248 total points
ID: 41736412
This expert suggested creating a Gigs project.
For a knowledge base application you might consider using a Wiki instead of Wordpress.  Mediawiki has security plug-ins that seem to work very well.  It's good enough for Wikipedia.  As the administrator, you can extend and restrict access by a number of ways, with different permission levels.

If you do not need collaborative editing, which is the main feature of the Wiki, and all you need is a document repository, then any of the popular content management systems will work fine.  They all have adequate security to restrict access appropriately.  Some of the PHP-based systems are listed here.  

The advantage of using a web-based system, instead of one that is restricted by IP address or other inflexible means, cannot be overstated.  Just password-protect your information!  Then as your client base evolves to use mobile access, etc., you will have an enduring authentication scheme, and you won't have to get involved every time someone wants to switch offices, or change his cable company, or add her iPad to the system.

Regarding the earlier comment that "Wordpress is a security nightmare," I respectfully disagree, as will millions of happy and secure WordPress users.  There are right ways and wrong ways of doing everything, and computer security is no different.  WordPress security problems are not inherent; they are added to the individual installations by novice programmers who do not understand basic security tenets and who do not understand the WordPress ecosystem that manages and vets additions to the baseline software.  If you're among those who have never tried to secure a WordPress installation, you might consider hiring a professional to help you do it the first time.  You can learn it all by trial and error, but the professional route will be faster and safer.

If you're interested in a little "under-the-covers" learning about the technologies, most of the general design patterns of PHP client authentication are shown in this article.  If you choose that design and you want to restrict who can see the site, you might omit the registration scripts and just register your users by hand with phpMyAdmin.  Or you might use a register-and-confirm design.  Of course, most of this technology is already built into any modern CMS you might choose, but it can be useful to understand how it works.

Best of luck with your project, ~Ray

Author Comment

ID: 41737283
Thank you again.

Dave Baldwin - If you do not mind me asking... I initially setup as localhost but then features such as embedding and using google docs does not work so now I have the site on a web host.  It sounds like you have your installation on a server at work, how have you got this setup different to the Methods I have setup so far.  Is it that you have setup a server at work specifically to host and manage the site internally and how does that work different to localhost as ideally i'd like to setup where access can be automatically permitted via an Active Directory OU (but this is not essential as I can setup 20 people manually in 20 minutes).

Renazonse - Again will bear this in mind as maybe decide on another solution but I am also using this as a mini learning project to explore what WordPress can and cannot achieve

Branislav Borojevic - That looks a good idea to restrict IP so surely that would be a perfectly reasonable and secure way of working to bear in mind there are no personal identifiable details or passwords etc used on this tech knowledgebase.

Jason C Levine - Thank you but we do not use google apps accounts

Ray Paseur - You may be right but i'd been advised the Wiki we use had become unsupported so I chose to give WP a chance as it's something likely to be around for years and if we can get better functionality and for it work better than what we currently have it's an option we may or may not take.  I will look back at Wiki as if it supports pasting content and images better in the newer versions then that's really what we want from it the most
LVL 84

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 248 total points
ID: 41737319
The only real difference is that I used the IP address of the machine instead of 'localhost'.  'localhost' is not accessible from other machines so you don't want Wordpress using it for the 'domain name'.  I have two Wordpress installs on the machine to my right and one more on a hosting account.  

I just use the web servers on my machines to run whatever I need, I didn't set up a 'special' machine for Wordpress.  I do have 12+ machines with various web servers running on them for development and testing.

Author Comment

ID: 41737351
Thank you Dave

Unfortunately my laptop failed Saturday so i'll get a backup of my onsite site and install to my PC and check this out.  I did have problems initially on local settup with plugins which embed documents and view them using Microsoft office online but will look at this again separately

Thank you once again.

Author Closing Comment

ID: 41737356
All very good advice / options so shared points accordingly.  Thank you once again
LVL 84

Expert Comment

by:Dave Baldwin
ID: 41737856
You're welcome, glad to help.

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In Part I (http://www.experts-exchange.com/Web_Development/Blogs/WordPress/A_8410-Getting-Started-In-WordPress-Part-I.html), I introduced you to the powerful WordPress backend, the WordPress administrative Dashboard.  In Part II, I will introduce yo…
So you have coded your own WordPress plugin and now you want to allow users to upload images to a folder in the plugin folder rather than the default media location? Follow along and this article will show you how to do just that!
The purpose of this video is to demonstrate how to make a WordPress Site faster and smaller in size by cleaning up the database. This will be demonstrated using a Windows 8 PC. Plugin WP Optimize will be used. Go to your WordPress login page. T…
The is a quite short video tutorial. In this video, I'm going to show you how to create self-host WordPress blog with free hosting service.
Suggested Courses
Course of the Month14 days, 9 hours left to enroll

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question