5

I want to allow only my IP address to access wp-admin but at the same time don't want the calls to admin-ajax.php be blocked. So I want to whitelist admin-ajax.php. Does the following code in .htaccess (placed in wp-admin directory) achieve these objectives:

#Protect wp-admin  
AuthUserFile /dev/null  
AuthGroupFile /dev/null  
AuthName "WordPress Admin Access Control"  
AuthType Basic  
<LIMIT GET>  
  order deny,allow  
  deny from all  
  allow from <my IP address>  
</LIMIT>  

#Allow access to wp-admin/admin-ajax.php  
<Files admin-ajax.php>  
  Order allow,deny  
  Allow from all  
  Satisfy any  
</Files>
Improve this question
3
  • What version of Apache are you using? Why the HTTP Basic Authentication directives? Are you having to override a parent config?
    – MrWhite
    Commented Jan 17, 2022 at 10:30
  • Sorry, my knowledge of these things is very limited. I am trying to create my own website and have done it is as per this: wpbeginner.com/wp-tutorials/…
    – ishchat
    Commented Jan 17, 2022 at 11:58
  • I did some tests. The above script seems to be working correctly. It is blocking wp-admin access except for the allowed IP, while at the same time allowing access to admin-ajax.php for everyone. If anyone has any improvisations, please suggest.
    – ishchat
    Commented Jan 19, 2022 at 8:48

2 Answers 2

Reset to default
1

You can tidy this up:

  • You need to put quotes (double or single) around your file name
  • You don't need to have "order allow, deny" since you are allowing all 1 line below.

Like this is fine:

<Files "admin-ajax.php">
Allow from all
Satisfy Any

</Files>
Improve this answer
0

Create file .htaccess in /path/to/wordpress/wp-admin with this content and you should be good to go.

# Enable basic authentication
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /path/to/secure/folder/.htpasswd
Require valid-user

# Allow access to admin-ajax.php without authentication
SetEnvIf Request_URI "^/wp-admin/admin-ajax\.php$" allow_ajax
Order allow,deny
Allow from env=allow_ajax
Satisfy any
Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.