only allow certain IP to make site file changes
how can I secure my website so only my IP address can make any changes on the server, I was thinking with htacess file. It is a Wordpress site.
I have seen features like this on nexcess,net websites, but I am one bluehost which doesn't have it
I have seen features like this on nexcess,net websites, but I am one bluehost which doesn't have it
Assuming you have the ability to use an htaccess file, then just create that .htaccess file (the dot at the beginning is important) in your wp-admin folder and put in these contents:
And replace 1.2.3.4 with your own IP.
And if that doesn't work, you might need to use the newer "Require" syntax in Apache 2.4 as described in the link above from Davis.
Order deny,allow
Deny from all
Allow from 1.2.3.4And replace 1.2.3.4 with your own IP.
And if that doesn't work, you might need to use the newer "Require" syntax in Apache 2.4 as described in the link above from Davis.
1) Ensure all logins are secure. SSL/TLS for Websites. SFTF, never FTP. SSH for logins. Either scp or rsync + ssh for backups + site interaction.
2) Run Fail2Ban to watch logs + block password attacks.
I should really write an entire article about Fail2Ban, which is the unsung hero of online security.
Fail2Ban is the single most heavily used security tool. Period.
3) Ignore nonsense like only allowing access via IP as this is both unnecessary + will ruin your day sometime in the future...
When your DCHP lease resets your IP or your upstream ISP resets your IP.
At this point, you'll be completely locked out of your site + will require opening a ticket with your hosting company + hoping someone on their staff is smart enough to remove all your blocks.
If you do go the route of using .htaccess, this won't really work well.
Better to use iptables, if you really think you should.
If you take this approach, keep copious notes about how to back out your blocks, so when you are blocked, you can provide detailed unblocking steps to your hosting company, else you run the risk of them taking forever or worse, destroying your site some way... as they muck about + try to figure out how to restore access.
2) Run Fail2Ban to watch logs + block password attacks.
I should really write an entire article about Fail2Ban, which is the unsung hero of online security.
Fail2Ban is the single most heavily used security tool. Period.
3) Ignore nonsense like only allowing access via IP as this is both unnecessary + will ruin your day sometime in the future...
When your DCHP lease resets your IP or your upstream ISP resets your IP.
At this point, you'll be completely locked out of your site + will require opening a ticket with your hosting company + hoping someone on their staff is smart enough to remove all your blocks.
If you do go the route of using .htaccess, this won't really work well.
Better to use iptables, if you really think you should.
If you take this approach, keep copious notes about how to back out your blocks, so when you are blocked, you can provide detailed unblocking steps to your hosting company, else you run the risk of them taking forever or worse, destroying your site some way... as they muck about + try to figure out how to restore access.
I agree except for the .htaccess / iptables comment.
1. If your ISP resets your IP address, then you likely still have normal access to your account (e.g. SFTP or SSH or something), so you can modify the .htaccess file to update the IP.
2. Firewalls like iptables are good when you want to control things at the protocol / port level (e.g. block SFTP/SSH, etc except for certain IPs), but it's not the right tool for more surgical blocking of web-based apps (e.g. only allowing certain IPs to hit the admin interface while allowing all others to hit the site).
That said, it's important to know that thorough security isn't just about blocking access to wp-admin, which is why I heavily agree with everything else David said. You don't want to lock your front door but then leave all your windows open.
Fail2ban is a good tool for catching and blocking IPs upon detection of malicious behavior, but that also means that malicious attempts have to occur and be logged first. Using the .htaccess file to proactively screen out all IPs except your own can help protect you from the very first attempt, which is another layer of security and helps ward off some zero-day exploits (depending on where they are). Using fail2ban in addition will help you block people who have demonstrated malicious intent towards your site so their attempts are limited.
It's worth noting that the more "complete" methods of security like fail2ban or updating your firewall are heavily dependent on you actually having that access. If you're on shared hosting, for example, you probably will not be able to use those kinds of approaches or tools, and you'll have to rely on what you can do with .htaccess files or custom code (e.g. Wordfence plugin is pretty popular and effective)
1. If your ISP resets your IP address, then you likely still have normal access to your account (e.g. SFTP or SSH or something), so you can modify the .htaccess file to update the IP.
2. Firewalls like iptables are good when you want to control things at the protocol / port level (e.g. block SFTP/SSH, etc except for certain IPs), but it's not the right tool for more surgical blocking of web-based apps (e.g. only allowing certain IPs to hit the admin interface while allowing all others to hit the site).
That said, it's important to know that thorough security isn't just about blocking access to wp-admin, which is why I heavily agree with everything else David said. You don't want to lock your front door but then leave all your windows open.
Fail2ban is a good tool for catching and blocking IPs upon detection of malicious behavior, but that also means that malicious attempts have to occur and be logged first. Using the .htaccess file to proactively screen out all IPs except your own can help protect you from the very first attempt, which is another layer of security and helps ward off some zero-day exploits (depending on where they are). Using fail2ban in addition will help you block people who have demonstrated malicious intent towards your site so their attempts are limited.
It's worth noting that the more "complete" methods of security like fail2ban or updating your firewall are heavily dependent on you actually having that access. If you're on shared hosting, for example, you probably will not be able to use those kinds of approaches or tools, and you'll have to rely on what you can do with .htaccess files or custom code (e.g. Wordfence plugin is pretty popular and effective)
Quote of the day + well said... "You don't want to lock your front door but then leave all your windows open."
Please clarify the changes you are talking about you wish to limit.
I think several confirmed that using htaccess that is placed in the directory where Wordpress administrative interface us located, allowing only specific ip.
Note however, if your ip is not static, you will lock yourself out shoukd it change, do you have ssh access to your hosted system, using ssh and ssh tunnels, you could restrict updates using htaccess to localhost.
When the ssh connection with tunnels, your attempt will appear as coming from localhost provided the sshd on server allows forwarding.
I think several confirmed that using htaccess that is placed in the directory where Wordpress administrative interface us located, allowing only specific ip.
Note however, if your ip is not static, you will lock yourself out shoukd it change, do you have ssh access to your hosted system, using ssh and ssh tunnels, you could restrict updates using htaccess to localhost.
When the ssh connection with tunnels, your attempt will appear as coming from localhost provided the sshd on server allows forwarding.
As I said before and to clarify, HTACCESS will let you block or allow ranges of ip addresses; but, gives you no control over what their permissions are and I believe the asker wanted to limit write access, not public.
The asker wants to limit modification to their site from specific IP.
gr8gonzo pointed to limiting the source of who can access the wp-admin folder, that will limit who can modify the site.
At times I too, the person's question or focus on a particular part of a questioner's post inferring at times a direction different than others or what the asker meant, "how can I secure my website so only my IP address can make any changes on the server"
gr8gonzo pointed to limiting the source of who can access the wp-admin folder, that will limit who can modify the site.
At times I too, the person's question or focus on a particular part of a questioner's post inferring at times a direction different than others or what the asker meant, "how can I secure my website so only my IP address can make any changes on the server"
ASKER
Hello Everyone,
Thanks for all the feedback. It is a lot to take in.
I am not trying to block the just Wordpress admin, that is easy enough.
I have used nexcess.net for web hosting, they have a feature in the control panel that blocks any file changes on the server except for my IP address. Bluehost or Godaddy don't have this feature.
This feature in nexcess is called user firewall rules and I need to whitelist my own IP for any changes to SSH, SFTP, Ftp, Mysql. I was wondering if this was something I could recreate on bluehost with the htacess (or whatever). With Nexess, it isn't an add-on feature, you need to do or you can't work.
So really my question is can I recreate this on bluehost or should i just move to nexcess?
Thanks for all the feedback. It is a lot to take in.
I am not trying to block the just Wordpress admin, that is easy enough.
I have used nexcess.net for web hosting, they have a feature in the control panel that blocks any file changes on the server except for my IP address. Bluehost or Godaddy don't have this feature.
This feature in nexcess is called user firewall rules and I need to whitelist my own IP for any changes to SSH, SFTP, Ftp, Mysql. I was wondering if this was something I could recreate on bluehost with the htacess (or whatever). With Nexess, it isn't an add-on feature, you need to do or you can't work.
So really my question is can I recreate this on bluehost or should i just move to nexcess?
Moving to Nexcess is your easiest option, as far as I know.
For any questions about whether a hosting company supports X or Y, you should really ask that company directly. Even those of us who have experience with a particular hosting company might have outdated information. And any research we do on the web might be incorrect, as well (not every hosting company is great at posting all their features). So it's not really fair to that company for us to represent them, since we may do it incorrectly.
ASKER
Nexcess is a more expensive and what i use for magento or CMS sites that need more security, for brochure sites I usually stick to bluehost or godaddy.
recently I had a site get hacked with had iThemes security with all the features active, which lead me to believe that perhaps I need a bit more that what a plugin can offer, it also had great passwords on all 3 levels, cpanel, ftp, wordpress
recently I had a site get hacked with had iThemes security with all the features active, which lead me to believe that perhaps I need a bit more that what a plugin can offer, it also had great passwords on all 3 levels, cpanel, ftp, wordpress
A firewall won't necessarily protect you from hacking. A security plugin won't, either. It all depends on how you got hacked. Those are all good measures to take but you need to identify the vulnerability in order to patch it effectively.
Let's go back to the house analogy. Let's say you have good locks on your doors and you have a tall chain link fence around your house. You come home and discover that someone has stolen your prize baseball that is sitting on your window sill.
Your first step is usually to try and understand how it was done. If you have good locks and a fence, that means that there's some other problem that those security measures aren't addressing.
For example, maybe your windows are open and the open parts of the fence are big enough that someone can reach through the fence and grab something from your window.
It doesn't mean that locks and fences aren't effective - they are very effective against certain kinds of threats. However, security is a layered concept. So you need to figure out how the attack worked in order to stop it.
For hacked WP sites, the usual suspects are plugins and then improper maintenance. Plugins are often the culprits since they have less oversight and security review. Someone builds a plugin that does all these awesome things but leaves the door wide open to SQL injection, for example. All it takes is one bad plugin since all plugins have equal access to the database and file system.
Some companies hire cheap developed to build custom plugins and the developers don't know how to build secure code - they just build it to work.
Or if you don't regularly update your WP sites, it's easy for bots to find out and exploit known vulnerabilities.
However, my money is on a bad plugin.
Let's go back to the house analogy. Let's say you have good locks on your doors and you have a tall chain link fence around your house. You come home and discover that someone has stolen your prize baseball that is sitting on your window sill.
Your first step is usually to try and understand how it was done. If you have good locks and a fence, that means that there's some other problem that those security measures aren't addressing.
For example, maybe your windows are open and the open parts of the fence are big enough that someone can reach through the fence and grab something from your window.
It doesn't mean that locks and fences aren't effective - they are very effective against certain kinds of threats. However, security is a layered concept. So you need to figure out how the attack worked in order to stop it.
For hacked WP sites, the usual suspects are plugins and then improper maintenance. Plugins are often the culprits since they have less oversight and security review. Someone builds a plugin that does all these awesome things but leaves the door wide open to SQL injection, for example. All it takes is one bad plugin since all plugins have equal access to the database and file system.
Some companies hire cheap developed to build custom plugins and the developers don't know how to build secure code - they just build it to work.
Or if you don't regularly update your WP sites, it's easy for bots to find out and exploit known vulnerabilities.
However, my money is on a bad plugin.
Make sure you make backups of your access logs for the days/times that you were hacked - those can be your most valuable clues. Sometimes you can see exactly the attack that led to the successful hack.
ASKER
thee were 17 plugins that needed to be updated, it was the annoying base64 hack on all the index pages. easy enough to clean up from backups. It was all maybe 2 months out of date. I was hoping the nexcess firewall solution may stop that. I have 4 clients with nexcess and none have ever gotten hacked.
I don't like letting Wordpress auto update as you end up getting the white page of death from a plugin conflict and wont know which plugin caused it, so i do it manually.
I don't like letting Wordpress auto update as you end up getting the white page of death from a plugin conflict and wont know which plugin caused it, so i do it manually.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
https://httpd.apache.org/docs/2.4/howto/access.html