Authorize an IP Address to a WordPress BackOffice protected with .htaccess

Not long ago I had more than 2600 attempts, in less than 24 hours, to hack the Back Office of a WordPress website.
Hopefully I have some plugin to prevent that, but still I was not happy.

I then decided to go a step further and simply blocked any IP but “some”, with a .htaccess file
It’s kinda double security.

1st) password
You need a password (.htaccess and .htpassword combo)

2sd) IPs
You only can access it from allowed IPs

But what if you need to access your blog (or any web site protected with a .htaccess file) from another location (not in the allowed IP addresses) ?

I asked a friend of mine to create a simple code but yet practical, so I can from anywhere add An IP address and then access the Back Office with the new authorized IP. I then just added another button so I can eventually launch the WordPress iOs app from there.

Of course this page is also protected via .htaccess !
Just don’t forget to do so or you could (you will) regret it.

As I said, this is for WordPress so you’ll find 2 buttons to directly go to the Back Office
either from current Browser or by launching WordPress iOs application.

You also could make a special website from your host provider like

http://changemyip.myblog.com

or http://www.myblog.com/changemyip.php/
or http://www.myblog.com/supersecret.php/
or http://www.myblog.com/trS5P89fau.php/
well you got it.
or simply add the php file anywhere you want as long as those are in the same home directory hosting.
And then access your BackOffice, Typically like http://www.myblog.com/wp-admin/

changeyourip

Below are example of the .htaccess, the .htpassword and the php file.

.htaccess in /wp-admin directory

order deny,allow
allow from WWW.XXX.YYY.ZZZ
allow from AAA.BBB.CCC.DDD
deny from all

AuthName “PROTECTED AREA”
AuthType Basic
AuthUserFile “/some/path/to/your/.htpasswd”
Require valid-user

.htpassword (example)

My web host provider required base64 encrypted password, and won’t allow clear text password.
My friend Nico, also did a special .php routine to get this encrypted in a snap. see below for the code.

memyselfandI:$6$0W241mYtPpUe$Q3Es80.hUpeKcbVASMC/ubSUGgX/Hl0Z7f4tuM51P7bOrSlL4h5IFXvZd79kp7zhjn1ojUqBdzNYDbtZaCqad0
AnotherAuthorizedUser:$6$4YL78FDnN.rD$2O9pQd1uLRDVjyCScNT/aihxeNW.qAX3W3L0IPFjHCnaxCW6Gn6BZ2dkLPKEQf/Bxyu.UQk4LnSVSySIQ/tlS0

Changeyourip.php

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- Merci à Nico pour ce bout de code: contact dot obysky at gmail dot com, modif by: oem at oemden dot com -->
<html>
<head>
	<title>--- Authorize an IP Address to a BackOffice WordPress .htaccess protect file --- </title> 
	<style type="text/css">
		h1,.h1{
			font-family:"Lucida Grande", Verdana, Arial, sans-serif;
			font-weight:bold;
			color: #a20300;
			font-size:20px;
			line-height:150%;
			text-align: left;
		}
		h2,.h2{
			font-family:"Lucida Grande", Verdana, Arial, sans-serif;
			font-weight:bold;
			color: #bababa;
			font-size:10px;
			line-height:150%;
			text-align: left;
		}
    body
    {
		margin: 50px;
		background-color: #e9e9e9;
		text-align: left;
    }
    input#submit
    {
        font-size: 25px;
        font-weight: bold;
        /*width: 20px;*/
		text-align: left;
    }
</style></head>
<body>
<h2>
This page will add and authorize your current IP address<br />
to the .htaccess file protecting your wp-admin folder in  your WordPress site.<br />
So you can Protect the access of wp-admin (deny from all)<br />
but still allow you to post from anywhere.<br />
<br />
you can also manually change the IP if you like<br />
</h2>
<h1 class="title">
<?php 
 $ip_cool = $_SERVER['REMOTE_ADDR'];
 echo 'Your current IP is: '; //. $ip_cool
 //echo '<br/>';
?>
</h1>
</html>
<html>
<form class="content" action="" method="post" enctype="multipart/form-data">
        <p>
                <input type="text" id="submit" name="ip_change" style="font-size: 10px;" value="<?php echo $ip_cool; ?>" /><br /><br />
                <input type="submit" id="submit" value="Authorize current IP: <?php echo $ip_cool; ?>" />
        </p><br/>
</form>
<form action="http://www.myblog.com/wp-admin/" method="post" enctype="multipart/form-data" class="readmore">
        <p>
	<input type="submit" id="submit" value="Continue to /wp-admin Back Office" />
        </p>
</form>
<form action="wordpress://www.myblog.com/wp-admin" method="post" enctype="multipart/form-data">
        <p>
	<input type="submit" id="submit" value="or Launch iOs WordPress app" />
        </p><br/>
</form>
<h1>
<?php
if ($_POST['ip_change']){
	$ip=$_POST['ip_change'];
	echo '<br/>';
	echo 'IP '. $ip." Authorized !";
		unlink("/some/path/to/your/wp-admin/.htaccess"); // Ceci supprimera le fichier
		$monfichier = fopen('/some/path/to/your/wp-admin/.htaccess', 'a+');
		//RAMENE CURSOR AU DEBUT
		fseek($monfichier, 0);
		// 2 : on fera ici nos opŽrations sur le fichier...
		fputs($monfichier, 'order deny,allow');
		fputs($monfichier, "\n"); 
		fputs($monfichier, 'allow from WWW.XXX.YYY.ZZZ ');
		fputs($monfichier, "\n"); 
		fputs($monfichier, 'allow from AAA.BBB.CCC.DDD ');
		fputs($monfichier, "\n"); 
		fputs($monfichier, 'allow from '.$ip);
		fputs($monfichier, "\n"); 
		fputs($monfichier, 'deny from all');
		fputs($monfichier, "\n"); 
		fputs($monfichier, "\n"); 
		fputs($monfichier, 'AuthName "PROTECTED AREA"');
		fputs($monfichier, "\n"); 
		fputs($monfichier, 'AuthType Basic');
		fputs($monfichier, "\n"); 
		fputs($monfichier, 'AuthUserFile "/some/path/to/your/.htpasswd"');
		fputs($monfichier, "\n"); 
		fputs($monfichier, 'Require valid-user');
		fputs($monfichier, "\n"); 
		// 3 : quand on a fini de l'utiliser, on ferme le fichier
		fclose($monfichier);
}
?>
</h1><h2>Original Code by Nico - - Mods by oem<br /></h2></html></body>

Below is little code to get a base64 encrypted password

Encryptme.php

<?php 
// Merci à Nico pour ce bout de code 
// © obcdnico at msn dot com
//
echo realpath('chemin.php'); ?>
<br/>
<?php echo crypt('kangourou'); ?>
<br/>
<p>
<?php
if (isset($_POST['login']) AND isset($_POST['pass']))
{
    $login = $_POST['login'];
    $pass_crypte = crypt($_POST['pass']); // On crypte le mot de passe

    echo 'Ligne &agrave copier dans le .htpasswd :<br />' . $login . ':' . $pass_crypte;
}
else // On n'a pas encore rempli le formulaire
{
?>
</p>
<p>Entrez votre login et votre mot de passe pour le crypter.</p>
<form method="post">
    <p>
        Login : <input type="text" name="login"><br />
        Mot de passe : <input type="text" name="pass"><br /><br />
        <input type="submit" value="Crypter !">
    </p>
</form><?php
}
?>

Enjoy.
All original code by Nico: obcdnico at msn dot com

Update : 20131023 added wordpress iOs app shorcut

Olivier
About

Product and graphic designer turned to be a Mac SysAdmin.

Posted in Design, Development Tagged with: , , , , , , , ,
3 comments on “Authorize an IP Address to a WordPress BackOffice protected with .htaccess
  1. Avatar nico says:

    le plaisir fût pour moi :-)

  2. Avatar nico says:

    ca me fait mal au coeur.. voila mon blog et son article :

    http://obysky.com/2014/02/deplacer-son-prestashop-et-retrouver-son-mot-de-passe/

    et le code :

    // on oublie pas la config prestashop
    include(dirname(__FILE__).’/../config/config.inc.php’);

    if(Tools::isSubmit(‘password’)){
    $email = Tools::getValue(‘email’);
    $new = Tools::getValue(‘pass’);
    $new_encrypt = Tools::encrypt($new);
    if(empty($new_encrypt)){
    echo ‘Remplissez le champ';
    } else{
    Db::getInstance()->Execute(‘UPDATE `’._DB_PREFIX_.’employee` SET
    `passwd`=”‘.pSQL($new_password_encrypt).'” WHERE `email`=”‘.pSQL($email).'”‘);
    echo ‘enregistrement effectue';
    }

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>