How can I setup an IP whitelist for a subdirectory?
Does the actual administrator page (probably PHP?) exist there, or is it just generated from something like index.php
with a fake directory structure?
To simplify, try something like this (in your main config file, not .htaccess
):
<Location /administrator>
Order deny,allow
Deny from all
Allow from 96.xxx.xx.xxx
Allow from 97.xx.xxx.xxx
</Location>
Related videos on Youtube
Ben Harold
Updated on September 18, 2022Comments
-
Ben Harold almost 2 years
A client of mine complained of an attack. I checked the access log and found a massive number of requests for the admin login page from seemingly random IP addresses. I created an
.htacces
file in the/administrator
directory and populated it with the following (IP addresses obfuscated):order deny,allow deny from all allow from 96.xxx.xx.xxx #my IP address allow from 97.xx.xxx.xxx #my client's IP address
I then went to a free proxy server and typed in the URL for the admin page. The page didn't load any of the assets (images), but it did load the actual page itself.
Joomla! does some SEF stuff in the
.htaccess
file that is in theDocumentRoot
. It looks like this:## Begin - Joomla! core SEF Section. # RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] # # If the requested path and file is not /index.php and the request # has not already been internally rewritten to the index.php script RewriteCond %{REQUEST_URI} !^/index\.php # and the request is for something within the component folder, # or for the site root, or for an extensionless URL, or the # requested URL ends with one of the listed extensions RewriteCond %{REQUEST_URI} /component/|(/[^.]*|\.(php|html?|feed|pdf|vcf|raw))$ [NC] # and the requested path and file doesn't directly match a physical file RewriteCond %{REQUEST_FILENAME} !-f # and the requested path and file doesn't directly match a physical folder RewriteCond %{REQUEST_FILENAME} !-d # internally rewrite the request to the index.php script RewriteRule .* index.php [L] # ## End - Joomla! core SEF Section.
I am guessing that the reason that the
.htaccess
file in the administrator directory isn't working properly has something to do with the main Joomla!.htaccess
file. Is that true? I tried adding this to my main .htaccess file, but it resulted in a 500 error:<Directory /var/www/vhosts/sweathelp.org/httpdocs/administrator> order deny,allow deny from all allow from 96.xxx.xx.xxx allow from 97.xx.xxx.xxx </Directory>
How can I effectively block all access to the administrator directory, excluding the two whitelisted IP addresses?