Protecting the backend hta code

You would need to install a plugin that allows you to limit which areas of WordPress an Administrator can access.

hmm i did just think of a way you could do that in the wp-admin htaccess file, but i would need to play around with that code before i posted it. the general idea is you would use 2 conditions: IP address and Request URI. if the ip address matches the condition for that URI then allow access. if not then block access to the URI.

This wp-admin code will restrict access to a URI/WordPress page based on IP address. the plugin-install.php file and page is the Plugins >>> Add new page where you would install a plugin. This example code will block access to the Add new plugin page / plugin-install.php file if the ip address does not match 127.0.0.9.

# wp-admin IP Based URI Restriction
RewriteCond %{REQUEST_URI} (plugin-install\.php) [NC]
RewriteCond %{REMOTE_ADDR} !^127\.0\.0\.9
RewriteRule ^(.*)$ - [F]

That is an excellent idea using conditional logic. That would provide a huge amount of detailed security. I am not sure of all the ways a person can malicious execute code in the backend but. By covering all of those grounds using conditional logic like that. It would be really nice to have that type of security. Please let me know what you come up with. Thanks for reading.

We were posting at the same time. I created and tested the code above and it works fine. Here is another example of restricting a few WordPress pages/areas. The Add new plugin page, the Plugin editor and the Media Add new page.

# wp-admin IP Based URI Restriction
RewriteCond %{REQUEST_URI} (plugin-install\.php|plugin-editor\.php|media-new\.php) [NC]
RewriteCond %{REMOTE_ADDR} !^127\.0\.0\.9
RewriteRule ^(.*)$ - [F]

Thank you for helping me secure those areas, i really appreciate it.

I’m super intrested on how this code works.
on this section of the code i can block access to any page by putting its permalink in there?
(

plugin-install

\.php|plugin-editor\.php|media-new\.php)
and on this section of the code it blocks access to a .php file?
(plugin-install\

.php

|plugin-editor\.php|media-new\.php)

Also in the case my IP changes often, how would a IP range code look like? And do you by chance know how to identify my IP range, is there some easy way to figure out that type of thing?

The technical name is URI.
https://en.wikipedia.org/wiki/Uniform_resource_identifier#The_relationship_between_URIs.2C_URLs.2C_and_URNs

A URL is a URI that, in addition to identifying a web resource, specifies the means of acting upon or obtaining the representation, specifying both its primary access mechanism and network location. For example, the URL https://example.org/wiki/Main_Page refers to a resource identified as /wiki/Main_Page whose representation, in the form of HTML and related code, is obtainable via HyperText Transfer Protocol (http) from a network host whose domain name is example.org.

You would get the URI’s by going to whichever WordPress page you want to restrict based on IP address and copy and paste the the file name that you see displayed in your Browser’s address bar. Example: https://example.com/wp-admin/plugin-install.php
You want only the file name of the URI: plugin-install.php

Those are the literal file names with the .php extension because they are php files. the dot is escaped because in RegEx the dot has a special meaning so by escaping the dot you are saying get the literal dot character and not the special meaning.

If you want to whitelist 3 octets of your IP address…
RewriteCond %{REMOTE_ADDR} !^127\.0\.0\.
If you want to whitelist 2 octets of your IP address…
RewriteCond %{REMOTE_ADDR} !^127\.0\.
If you want to whitelist 1 octet of your IP address…
RewriteCond %{REMOTE_ADDR} !^127\.

Exellent read, I setup the code with my IP, but could you advise me on where i would put this code in the Custom Code section of BPS.
Thanks for the support, Much appreciated.

1. You would add it to this wp-admin Custom Code (NOT Root Custom Code) text box: CUSTOM CODE WPADMIN TOP:
Add wp-admin password protection, IP whitelist allow access & miscellaneous custom code here
2. Click the Save wp-admin Custom Code button.
3. Go to the Security Modes page and activate wp-admin BulletProof Mode.

Okay great! I just realized if someone did want to hack me. They could use BPS and modify the HTA. Could you offer me the code to block them from BPS? BPS is so strong i cant let anyone tamper with it.
So glad this is possible! I tried to do it myself but i dont know if it’ll break my site, let me know if i did it right

# wp-admin IP Based URI Restriction
RewriteCond %{REQUEST_URI} (admin.php?page=bulletproof-security/admin/options.php|plugin-install\.php|plugin-editor\.php|media-new\.php) [NC]
RewriteCond %{REMOTE_ADDR} !^127\.0\.0\.9
RewriteRule ^(.*)$ - [F]

Is it also possible to copmpletely block all backend access by using this code

# wp-admin IP Based URI Restriction
RewriteCond %{REQUEST_URI} (wp-admin/) [NC]
RewriteCond %{REMOTE_ADDR} !^127\.0\.0\.9
RewriteRule ^(.*)$ - [F]

Yep, if you have given someone Administrator access to your WordPress Dashboard then they could just remove the custom code that you created in BPS to block them from WordPress pages/Admin panels.

Due to the way WordPress handles rewriting all plugin pages dynamically you would have to use a QUERY_STRING checking condition and not a REQUEST_URI checking condition for plugins/plugin pages.

Note: You need to add the “OR” htaccess flag since the conditions would be processed like this: if blah OR blah AND blah do blah. The last condition never includes/uses “OR” since there are no more conditions after the last condition.

# wp-admin IP Based URI Restriction
RewriteCond %{REQUEST_URI} (plugin-install\.php|plugin-editor\.php|media-new\.php) [NC,OR]
RewriteCond %{QUERY_STRING} (page=bulletproof-security/admin/core/options\.php) [NC,OR]
RewriteCond %{REMOTE_ADDR} !^127\.0\.0\.9
RewriteRule ^(.*)$ - [F]

Yes, you could block the entire wp-admin backend with that code, but that feature is already included in BPS Maintenance Mode. ??

Alright thats great, i will tinker with this code. Thanks for making this possible. I think the next step is to some how protect my wp-config from bgeing accessed if they are admin rights in my admin dashboard. I am not sure of all the ways they can access that file or even if they can. Do you think i need to add onto URI restriction code to protect the wp-config? If i did how would i do that? I really appreciate your help on this subject, Thank you many times.

By default WordPress does not have anything in it that will allow you to access or edit the wp-config.php file. ie the Plugin Editor or other editors do not access, open or edit the wp-config.php file. Someone would need FTP or web host control panel access to edit wp-config.php or they would need to install an additional plugin that has file editing capability.

So you would only need to restrict access to installing a new plugin or restrict access to any plugin that has file editing capability.

Oh alright, thats good to hear! Hey thanks a bunch. I’ll mark this ad resolved.

Correction: I added an extra “OR” after the QUERY_STRING condition that should not be there. Needs to be this: if this/these Request URI(s) “OR” this/these Query String(s) “AND” is NOT IP address X then IS Forbidden.

# wp-admin IP Based URI/Query Restrictions
# Plugin pages = Query String | WP files/pages = Request URI
RewriteCond %{REQUEST_URI} (plugin-install\.php|plugin-editor\.php|media-new\.php) [NC,OR]
RewriteCond %{QUERY_STRING} (page=bulletproof-security/admin/core/options\.php) [NC]
RewriteCond %{REMOTE_ADDR} !^127\.0\.0\.9
RewriteRule ^(.*)$ - [F]