Blocking access to wp-admin and wp-login.php using Apache virtual hosts and different ports

apache-2.2rewritevirtualhost

I have a site running WordPress defined in a virtual host listening at port 80 (www.example.com).

I want to stop people accessing /wp-admin and wp-login.php but to allow access when they look in a different port like www.example.com:8080/wp-admin or www.example.com:8080/wp-login.php

I added some RewriteRules to show a 404 error page when they hit the site at port 80 and created a new virtual host for the same site that listens at port 8080 as follows:

<VirtualHost 192.168.3.20:80>
Options -Indexes +FollowSymlinks

RewriteEngine on
RewriteRule ^/wp-login.php /wp-content/themes/404.html [R=404,NC]
RewriteRule ^/wp-admin$ /wp-content/themes/404.html [R=404,NC]

DocumentRoot /var/www/html/wordpress
ServerName www.example.com
</VirtualHost>

<VirtualHost 192.168.3.20:8080>
DocumentRoot /var/www/html/wordpress
ServerName www.example.com
</VirtualHost>

It works well showing error 404 when accessing /wp-admin and wp-login.php. When accessing through www.example.com:8080/wp-admin or www.example.com:8080/wp-login.php, it shows the login page as expected, but after entering the credentials and pressing enter to continue, it shows me the error 404 page declared for the virtual host at port 80, and that is what I don't want and after a lot of testing I cannot avoid it.

Does anybody have an idea of how to solve it? Maybe I was trying a wrong approach to this?

Best Answer

I'm sorry to say that I'm afraid what you're trying is not possible with WordPress. In your site settings, you defined the URL where your WordPress lives -- http://www.domain.com/. WordPress, in compliance with W3C specifications, always implements its redirects using the full host name as provided in its settings, so when you log in and it verifies your credentials, it then redirects you to http://www.domain.com/wp-admin, regardless of whether you came in on port 80, port 8080, or port 56348. I ran into this same problem myself when trying to set up an exact mirror of my WP blog on a different port for testing theme and plugin development.

To add extra security to your site's admin pages, you can try a couple of things:

  1. Keep the wp-login.php page solely available on port 8080, but you'll have to allow wp-admin to be accessed on port 80.
  2. If I'm not mistaken, you can set WordPress to require HTTPS for the admin section, and then use your 404 rules to block it on port 80. This has the same effect as what you're trying to accomplish for someone trying to directly access wp-admin or wp-login.php, however someone clicking on the Site Admin button on your blog will most likely be taken directly to the HTTPS wp-login.php.
  3. In combination with either of the above, you can add an additional password using Apache HTTP Digest authentication (don't use Basic). This then requires a user accessing your WP admin to know (or to crack) two separate passwords.
Related Topic