Combining htaccess, file match, deny/allow, and IP address


I want to use htaccess to block access to the WordPress Admin area, for everyone unless they are inside our building. This not-working htaccess rule can explain it the best:

# Block WordPress Admin from public
<Files wp-login.php>
order deny,allow
deny from all
allow from HTTP_CF_CONNECTING_IP 999.999.999.999

Note, I’m not looking for page rules at this time, just htaccess. Don’t want to cross that bridge if I don’t have to.

I have tried a few searches on CF community and Google but I can only seem to find solutions that involve 2 out of 3 of topics at once, never all 3. For example, if I wanted to block the entire website, there are plenty of search results showing how HTTP_CF_CONNECTING_IP can save the day. But I can’t find any references to HTTP_CF_CONNECTION_IP that work inside of

What could I do to make this work?

You can do it that way but why don’t you block non Cloudflare IP’s then create a Firewall Rule that blocks all IP’s except your IP or range?

(http.request.uri.path contains “/wp-admin” and ip.src ne

You should consider using Cloudflare Access with a Bypass rule. More flexible, and I think with just a bypass rule it should be free, but you also get 5 users outside the IP bypass range included so you can have a few remote authenticated users!

This should work in .htaccess

SetEnvIF CF-Connecting-IP "" MySecretIP
Require env MySecretIP

Wow, I did not format my post even though the forums warned me. Looks terrible. Updating it now, but will reply here too:

<Files wp-login.php>
order allow,deny

So if I was do use your suggestion, could I combine that with wp-login.php somehow? If not, that is likely because I let the forums eat my codeblock.

Cloudflare Access and a Bypass rule sound interesting. They leave the door open for some 3am remote emergency access, but then again we could just edit the htaccess rule too.

Guess I wanted htaccess so that I’d have something portable (change one line) should we leave Cloudflare. Not to mention if we left Cloudflare, it would essentially be a fail-secure solution instead of fail-open. Btw I updated my post because I didn’t format with a code block. Whoops.

There are lots and lots of ways to skin this cat, and it all depends on how much access you have to the server.

Remember that your Origin server does not see the Client IP directly, it sees the Cloudflare IP. Also, you cannot reference the Cf-Connecting-IP header directly in an Allow rule, which is why my solution uses SetEnvIf to set a variable based on the CF-Connecting-IP, and reference the resulting env in the Allow rule.

Combine them like this:

SetEnvIF CF-Connecting-IP "" MySecretIP
<Files wp-login.php>
order allow,deny
allow from env=MySecretIP

You could use mod_remoteip to change the client IP, and then just use a normal Allow config with your office IP range. This may or may not be available with your Apache hosting.

Thank you Michael, that worked!

This topic was automatically closed after 14 days. New replies are no longer allowed.