How do I make my WordPress site an Intranet site

Hi All

I am developing a knowledge base for work and want some advice on how to make the site a secure Intranet as never done this before.

I assume the site will still sit on a web server in the public domain and them access is restricted by domain or IP addressing a bit like a home router.

Or do I run the site on a localhost at work and the access is limited that way.

I have discovered a few potential limitations of localhost such as using google doc embedding on some pages so this i'm sure will be a learning  process

Any advice will be appreciated
Who is Participating?
Branislav BorojevicConnect With a Mentor FounderCommented:
This can help you achieve the desired outcome: Site Access for WordPress

Using Restricted Site Access plugin, you can restrict access to a WordPress site for logged in users only or for users with specific IP addresses, which would be the case in your example. You can also choose to redirect users with no access to the site by sending them to the login page, redirect to another web address, show them a custom message, or even redirect them to a specific page. Restrict by IP feature is very useful if you want multiple employees in the office to have access to the development project without requiring them to register as a user.

Additionally, you can always add statements to your .htaccess file in the website root, and specify exactly what IP addresses can access the website, and the rest will get an error.

ErrorDocument 401 /path-to-your-site/index.php?error=404
ErrorDocument 403 /path-to-your-site/index.php?error=404

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?index\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^IP Address One$
RewriteCond %{REMOTE_ADDR} !^IP Address Two$
RewriteCond %{REMOTE_ADDR} !^IP Address Three$
RewriteRule ^(.*)$ - [R=403,L]

Open in new window

Just edit lines to add the IP addresses that need access to the admin dashboard and login page replacing IP Address “One,” “Two” and “Three” in the example above.

You can delete two of those lines if you only need to add one IP address or copy and paste them to add more to the list.

When an unauthorized visitor tries to access that page, they’ll see your current theme’s 404.php file.
Dave BaldwinConnect With a Mentor Fixer of ProblemsCommented:
I have several Wordpress site here on my local network.  I access them by machine name and/or IP address, 'localhost' is useless because that restricts access to the machine where the site is installed.

Wordpress requires PHP and MySQL to run.  You can install WAMP or XAMPP on one of your local machines to run Wordpress.  They both include PHP and MySQL.  That will keep it local so that outsiders can't see it.
Britt ThompsonConnect With a Mentor Sr. Systems EngineerCommented:
Wordpress is a security nightmare so definitely don't put a Wordpress intranet on a public domain. I'd suggest using Sharepoint 2013 Foundation as an intranet since it's free and designed to operate as such. Sharepoint has quite a bit more management and configuration overhead though.
Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

Jason C. LevineConnect With a Mentor No oneCommented:
There's another good way to restrict access to a WordPress site, but only if your organization uses Google Apps.

That plugin restricts access to the site and also ties logins to existing Google Apps accounts. We use it to keep an intranet on the public web and it's great.
IM&T SRFTAuthor Commented:
Thank you for the comments so far, so if I were to restrict to a specific domain name or IP that would be secure? I have slso found an active directory plugin which enables you to specify only users within a specified organisationsl unit to be a member, does that sound about right?  Renazonce i take your comment on board as this site must be secure 100%
Ray PaseurConnect With a Mentor Commented:
This expert suggested creating a Gigs project.
For a knowledge base application you might consider using a Wiki instead of Wordpress.  Mediawiki has security plug-ins that seem to work very well.  It's good enough for Wikipedia.  As the administrator, you can extend and restrict access by a number of ways, with different permission levels.

If you do not need collaborative editing, which is the main feature of the Wiki, and all you need is a document repository, then any of the popular content management systems will work fine.  They all have adequate security to restrict access appropriately.  Some of the PHP-based systems are listed here.  

The advantage of using a web-based system, instead of one that is restricted by IP address or other inflexible means, cannot be overstated.  Just password-protect your information!  Then as your client base evolves to use mobile access, etc., you will have an enduring authentication scheme, and you won't have to get involved every time someone wants to switch offices, or change his cable company, or add her iPad to the system.

Regarding the earlier comment that "Wordpress is a security nightmare," I respectfully disagree, as will millions of happy and secure WordPress users.  There are right ways and wrong ways of doing everything, and computer security is no different.  WordPress security problems are not inherent; they are added to the individual installations by novice programmers who do not understand basic security tenets and who do not understand the WordPress ecosystem that manages and vets additions to the baseline software.  If you're among those who have never tried to secure a WordPress installation, you might consider hiring a professional to help you do it the first time.  You can learn it all by trial and error, but the professional route will be faster and safer.

If you're interested in a little "under-the-covers" learning about the technologies, most of the general design patterns of PHP client authentication are shown in this article.  If you choose that design and you want to restrict who can see the site, you might omit the registration scripts and just register your users by hand with phpMyAdmin.  Or you might use a register-and-confirm design.  Of course, most of this technology is already built into any modern CMS you might choose, but it can be useful to understand how it works.

Best of luck with your project, ~Ray
IM&T SRFTAuthor Commented:
Thank you again.

Dave Baldwin - If you do not mind me asking... I initially setup as localhost but then features such as embedding and using google docs does not work so now I have the site on a web host.  It sounds like you have your installation on a server at work, how have you got this setup different to the Methods I have setup so far.  Is it that you have setup a server at work specifically to host and manage the site internally and how does that work different to localhost as ideally i'd like to setup where access can be automatically permitted via an Active Directory OU (but this is not essential as I can setup 20 people manually in 20 minutes).

Renazonse - Again will bear this in mind as maybe decide on another solution but I am also using this as a mini learning project to explore what WordPress can and cannot achieve

Branislav Borojevic - That looks a good idea to restrict IP so surely that would be a perfectly reasonable and secure way of working to bear in mind there are no personal identifiable details or passwords etc used on this tech knowledgebase.

Jason C Levine - Thank you but we do not use google apps accounts

Ray Paseur - You may be right but i'd been advised the Wiki we use had become unsupported so I chose to give WP a chance as it's something likely to be around for years and if we can get better functionality and for it work better than what we currently have it's an option we may or may not take.  I will look back at Wiki as if it supports pasting content and images better in the newer versions then that's really what we want from it the most
Dave BaldwinConnect With a Mentor Fixer of ProblemsCommented:
The only real difference is that I used the IP address of the machine instead of 'localhost'.  'localhost' is not accessible from other machines so you don't want Wordpress using it for the 'domain name'.  I have two Wordpress installs on the machine to my right and one more on a hosting account.  

I just use the web servers on my machines to run whatever I need, I didn't set up a 'special' machine for Wordpress.  I do have 12+ machines with various web servers running on them for development and testing.
IM&T SRFTAuthor Commented:
Thank you Dave

Unfortunately my laptop failed Saturday so i'll get a backup of my onsite site and install to my PC and check this out.  I did have problems initially on local settup with plugins which embed documents and view them using Microsoft office online but will look at this again separately

Thank you once again.
IM&T SRFTAuthor Commented:
All very good advice / options so shared points accordingly.  Thank you once again
Dave BaldwinFixer of ProblemsCommented:
You're welcome, glad to help.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.