We can use it, for example, to deny access to the WordPress Dashboard from all IP addresses except ours.
Those of us with a shared hosting account most likely use the cPanel control panel. If you do, log in and look for the IP Deny Manager, which is cPanel's pale version of the Apache module. Now ignore it. We'll use the command line to create a more powerful rule instead.
Creating mod_access allow/deny rules
Similar to cPanel's IP Deny Manager, the greater flexibility of hand-coding a mod_access ruleset at the command line empowers us to allow or deny all but our specified IP addresses, domains, hosts, and networks.
For now, we'll prevent access to the wp-admin directory pages for all IPs except yours.
Open an htaccess file in your wp-admin directory via your control panel or the terminal (substituting the below path for yours):
And add these lines, swapping the IP for yours:
Need access from more IPs? Just add more alongside the first one, single space separated:
But what is my IP address?
That old chestnut. Good point. Here's a place to tell you:
Denying alone won't protect against man-in-the-middle attacks so, if you got this far into wpCop's Lock Down WP Connections tutorials thinking that you could have avoided all the SSL stuff after all, no, you were right to do that.
No safeguard is a silver bullet. Deny syntax sure helps though, at least if your IP address isn't constantly changing.
OK, top marks, we just saw how easy it was to use an Apache security module. Hopefully that's encouraging as we go up a gear to Setup Apache’s mod_auth to Password Protect Directories. This is a tad more complex but we'll take it one step at a time and end up with a very useful, highly protective solution.
Did I say “Hurrah”?