Dashboard lock down ip address

Alwin · May 7, 2021, 6:12pm

In the Clean and Lock extension I can whitelist my IP address to limit access to WP Admin pages and wp-login.php.

But I have a dynamic IP address (can’t change that) which always looks like this:
109.40.*.**

So 109.40. is always the same, but the other numbers change every day. Can I use some kind of wildcard option like this: 109.40.*.** ?

One other question: suppose I lock myself out because of the IP address has changed in something completely different. Can I login at my MainWP install with sFTP and simply delete the Clean and Lock extension? Would that also delete the IP restriction?

Thanks,
Alwin

bogdan · May 11, 2021, 4:59pm

Hi Alwin,

In case you get locked out, you can easily remove locks by following these steps:

Please check the “Manually Remove MainWP Dashboard Locks” section.

kwcjr · May 13, 2021, 7:23am

@Alwin MainWP Clean & lock allows for any variation of htaccess IP syntax so IP address ranges and wildcards should work. These settings get saved directly within your MainWP’s htaccess file.

Alwin · May 14, 2021, 10:09am

Oke, my IP address always looks like this:

109.40.X.XX

How to set up a wildcard exactly now?

Like this: 109.40.*.**

Or just 109.40.*

Thanks,
Alwin

josklever · May 14, 2021, 11:54am

I would use: 109.40.0.0/16
But even 109.40 should work.

Just make sure you have access to the .htaccess file in the root of the site to fix it, if you happen to lock yourself out. And you can test it by using a mobile internet connection (not WiFi) or a VPN or by asking someone else.

Alwin · May 15, 2021, 11:08am

I tried these options:

109.40
109.40.0.0/16
109.40.*

With one of these 3 options enabled, I am not able to logout from MainWP Dashboard anymore.

When I try to logout I get this 403 error page:

Forbidden

You don’t have permission to access this resource.

So maybe it’s just not possible to set up a wildcard for a dynamic IP address in MainWP?

josklever · May 15, 2021, 11:13am

Did you check how the IPs were added to .htaccess? I haven’t used it like this before via MainWP, so I’m not sure if it actually works. @kwcjr can you have this checked?

Alwin · May 15, 2021, 11:28am

This is from my .htacces file after adding 109.40:

RewriteEngine On RewriteBase / RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR] RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$ RewriteCond %{REMOTE_ADDR} !^109\.40$ RewriteRule ^(.*)$ - [R=403,L]

josklever · May 15, 2021, 11:35am

I’ve just checked it myself. The following code is added to the .htaccess:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^109\.40\.0\.0/16$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

And this doesn’t match any IP. So IP ranges can’t be used, only single IPs. Instead you could try the following code (directly in .htaccess:

<Files wp-login.php>
Order Deny,Allow
Deny from all
Allow from 109.40.0.0/16
</Files>

Alwin · May 15, 2021, 11:38am

I will try that in a moment.

What about the o.o/16 part of your setup. What does that do? What does “16” do?

josklever · May 15, 2021, 11:46am

Basically it says that the last 2 parts of the IP address can be anything. A normal IP would be /32, if only the last group is a wildcard it would be /24 and you can also have other groups, but it’s explained more on https://whatismyipaddress.com/cidr (or google for CIDR) and on CIDR to IPv4 Address Range Utility Tool | IPAddressGuide you can convert CIDR and IP ranges to each other.

Alwin · May 15, 2021, 11:53am

Thanks for the links, to difficult for me

Anyway, my dynamic IP address at this moment is:
109.40.0.144

First part 109.40 is always the same, last part different every day.

So you say I have to use: 109.40.0.0/16
?

josklever · May 15, 2021, 11:57am

It’s indeed quite difficult, but I hope you understand a little what it does. You can always read more about it if you want.

All the mentioned “wildcard” notations should do the same, but the CIDR notation (109.40.0.0/16) is quite common, so that would be my choice. Just try it out and let someone test it from another internet connection (different IP range).

Alwin · May 15, 2021, 1:12pm

I just added your code to my .htaccess file. Not at the top but just after the #End WordPress part, so like this:

END WordPress

Order Deny,Allow Deny from all Allow from 109.40.0.0/16

After that I tried to open the MainWP dashboard site with another IP address by using a VPN and I got blocked: 403 access denied

So it looks your solution is working fine; thank you very much for all your help (zeer gewaardeerd)!

system · June 14, 2021, 1:12pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.