Home / server / Questions / 571780
In Process
Andy
Asked: 2014-02-04 01:35:08 +0800 CST

Apache files directive for single file

  • 772

I'm trying to restrict access to the wp-login.php file of a wordpress installation to a single IP address using the following .htaccess directive:

<Files wp-login.php>
    order deny,allow
    allow from y.y.y.y # Actual IP address replaced
    deny from all
</Files>

This works but it's also Denying access to wp-login.php files within the /public_html/subdomains directory. I've tried wrapping the Files directive inside a Directory directive like so:

   <Directory />
    Order allow,deny
    <Files wp-login.php>
       Order deny,allow
       allow from y.y.y.y
       deny from all
    </Files>
   </Directory>

But this just gives me a 500 Internal Server Error. I've also tried replacing the / in the Directory match with /public_html to no avail

Is there a way I can get the FilesMatch directive to only match the /public_html/wp-login.php file and not those inside the subdomains directory?

apache-2.2

1 Answers

  1. The problem you're encountering is cause by

    The directives given within this section will be applied to any object with a basename (last component of filename) matching the specified filename.

    So your files directive will match anything ending in wp-login.php.

    The solution is to wrap it in a <Directory> block to limit it's scope

    <Directory /path/to/wp-login>
    <Files wp-login.php>
        Order deny,allow
        allow from y.y.y.y
        deny from all
    </Files>
</Directory>

    FWIW duosecurity have an integration that adds two factor auth to WP logins. It works really well.

    • 0