Skip to main content

Restricting Access

There are multiple ways to restrict access to the site. This article tells you how to do it in some ways.

WordPress offers a multitude of user management and access control related features. We recommend using them as your primary means of access management. For instance, you can easily protect individual pages and posts with a password by setting post visibility in WordPress Dashboard to ‘Password Protected’. You can also activate maintenance and allow only selected users to access the entire site.

Restricting access by IP address

If you have a section of your site that should only be visible for example to visitors from a certain subnet, e.g. some sort of intranet or extranet page, you might want to use IP address based access controls. Do note however, that IP addresses can change, and you need to manually keep the IP lists up-to-date. IP addresses should not be used for very sensitive content, as no per-user audit trail is formed when using blanket IP access rules.

You can implement IP restriction by creating a new nginx configuration file with content similar to the following: 

location ^~ /restricted-section/ { 
  allow 1.2.3.4; 
  allow 5.6.7.8; 
  deny all; 
}

Warning!

Do not activate IP address based restrictions for the entire site. Otherwise the site monitoring will start to fail and Seravo’s admins cannot access your site to do upkeep anymore.

Sometimes your users need to access the page on-the-go, so it might be a good idea to also provide a password authenticated way of access they can resort to. Instead of IP-based restrictions, you should also consider using a plugin that implements two-factor authentication (2FA).

Restrict Site Access by Country

Sometimes it may be useful or required to restrict or redirect a visitor's access to a site based on what country the visitor is located in. Using the Seravo-specific HTTP header X-Seravo-Geo-Country-Code you can achieve more specific restrictions.

Forward Visitors to Another Site With PHP

Useful e.g. if you have a multilingual site and you want to forward visitors directly to the correct language version.

<?php 
if (isset($_SERVER['HTTP_X_SERAVO_GEO_COUNTRY_CODE'])) { 
    switch (strtolower($_SERVER['HTTP_X_SERAVO_GEO_COUNTRY_CODE'])) { 

        // Forward Finnish visitors to example.fi 
        case 'fi': 
            header("Location: https://example.fi");  
            exit(); 

        // Forward Swedish visitors to example.se 
        case 'se': 
            header("Location: https://example.se"); 
            exit(); 
 
        default: 

           // Do nothing, continue processing in WordPress 
           break;  
    } 
} else { 
    error_log("Error: X-Seravo-Geo-Country-Code header not found!"); 
}

Forward Visitors to Another Site With nginx

The same can be implemented with the nginx web server.

# Redirect Finnish visitors to example.fi 
if ($http_x_seravo_geo_country_code = "FI") { 
   return 301 https://example.fi; 
} 

# Redirect Swedish visitors to example.se 
if ($http_x_seravo_geo_country_code = "SE") { 
   return 301 https://example.se; 
}

Restricting access with HTTP Basic Authentication

This applies only to static HTML pages. If you want to restrict access to certain WordPress pages or sections, use a plugin or PHP code to implement it.

The header-based HTTP authentication system is rather outdated in terms of encryption technology. The list of usernames and passwords needs to be maintained manually using the htpasswd command line utility. First create a file with the -c option and then add more users as you need:

htpasswd -bc /data/wordpress/nginx/htpasswd-file-example username1 adminpassword 
htpasswd -b /data/wordpress/nginx/htpasswd-file-example username2 userpassword

Once you’ve generated a htpasswd file you can activate it for a particular path for example by creating a file /data/wordpress/nginx/htauth.conf like this:

location ^~ /restricted-section/ { 
  auth_basic "Arbitrary realm name";  
  auth_basic_user_file /data/wordpress/nginx/htpasswd-file-example; 
}

Remember to run wp-restart-nginx to restart the nginx to make the change take effect.

Warning!

Do not activate HTTP Authentication for the entire site. Otherwise the site monitoring will start to fail and Seravo’s admins cannot access your site to do upkeep anymore.

Seravo's default restrictions

For security reasons Seravo implements an array of restrictions that are designed to never interfere with legitimate usage of any WordPress site. However, in some rare cases functionalities of plugins or e.g. integrations may hit our security limits if the conditions listed below are all true at the same time:

  • the site receives over 200 HTTP requests per minute

  • the requests are directed to WordPress/PHP scripts

  • the requests are all coming from the same IP address.

If this limit is hit, the result is a HTTP response with code 429 to the browser/bot and warnings about PHP flood restrictions in the log at /data/log/nginx-error.log. If you hit these limits, you can investigate the HTTP access logs in /data/log/nginx-access.log on what the requests are and why there's so many of them. Note, that this limitation does not apply to static assets (JS, CSS, images) nor to cached PHP responses.

Related Articles
WordPress Rewrites
Restricting Cache and Setting Headers
How to Prevent Unnecessary or Harmful Bot Traffic from Your Site
How Does Caching Work?
Limit Access to wp-admin Based on IP
Did this answer your question?