This is what I have in /etc/apache2/apache2.conf:
<Directory /var/www>
Options Indexes FollowSymLinks
AllowOverride ALL
Require all granted
Require valid-user
</Directory>
I’ve searched and they said to change AllowOverride to ALL instead of None, but there’s also a new code Require valid-user, do I need to remove this or leave it as it is?
I’ve modified my .htaccess file too within /var/www/html/ so currently it contains as follows:
# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^secret$ https://example.com/wp-login.php [NC,L]
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
It doesn’t seem to change the wp-login.php to https://example.com/secret unfortunately.
So I’ve reverted the .htaccess back to normal in /var/www/html/ and left /etc/apache2/apache2.conf as AllowOverride ALL.
Here’s another attempt in securing the wp-admin.php by restricting IP:
1)Clone copy of .htaccess from /var/www/html/
2) Erase and edit cloned copy of .htaccess with the following in Notepad:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Restricted Access”
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
# whitelist IP address
allow from xx.xx.xx.xxx
</LIMIT>
3) Paste the file into /var/www/html/wp-admin/
4) visit /wp-admin using the xx.xx.xx.xxx IP and encounter error:
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator at webmaster@localhost to inform them of the time this error occurred, and the actions you performed just before this error. More information about this error may be available in the server error log.
5) Error log via /var/log/apache2/:[Tue Sep 08 06:02:00.672843 2020] [core:alert] [pid 29874] [client xxx.xxx.xxx.xx:60649] /var/www/html/wp-admin/.htaccess: AuthUserFile not allowed here
How can I enable .htaccess to get it to work in Google Cloud VM, Debian 9, Apache2 Linux?
I tried to use Htaccess by BestWebSoft to add allow,deny for certain IP addresses, which modifies the .htaccess in /var/www/html/ but it still gives me the same error. Removing it won’t cause internal error.
OK, I’ve reverted everything back to how I installed WordPress.
This time I’ve modified only the .htaccess file to include:
RewriteCond %{REQUEST_URI} ^(.*)?wp-login.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?phpmyadmin$
RewriteCond %{REMOTE_ADDR} !^00.000.000.00$
RewriteRule ^(.*)$ – [R=403,L]
The 00.000.000.00 indicates only that IP address can access the wp-login.php, wp-admin and phpMyAdmin, any other IP address attempting will be denied and it’ll display that you do not have permission to access.
View more documentation regarding about phpMyAdmin too:
https://docs.phpmyadmin.net/en/latest/faq.html#faq1-42
