Tag Archives: dreamhost

Restricting WordPress Admin Access

Following up on Securing Administration of Shared Hosting, if you can restrict access to your administrative pages to a specific IP address or addresses.

This works best if you’re tunneling your traffic to your webserver though ssh, because your IP address may be changing, if you’re using hotspots or if your ISP changes your IP address. This is done though a simple update to the .htaccess file. Edit or create /wp-admin/.htaccess so it contains:
ErrorDocument 403 http://www.tidgubi.com/
Order Allow,Deny
Allow from 208.113.186.

The first line changes the “Unauthorized” behavior to simply redirect to my homepage. Otherwise the webserver seems to try to serve the error page from /wp-admin/ and ends up in a redirect loop.

The second line makes the allow/deny decision to default to deny unless there is a specific allow directive (https://httpd.apache.org/docs/2.0/mod/mod_access.html#order)

The last line specifies the IP address or partial IP address to allow. I assume Dreamhost uses load balancing and/or virtual servers, so I didn’t want to restrict access to a single IP address, but figured the IP range would be restrictive enough.

Securing Administration of Shared Hosting

If you didn’t already know, ssh can be used to tunnel a single TCP port from the client to the server. I wanted to use this ability to prevent my site credentials and cookies from being sent in plaintext over the internet (since I’ve been trying to avoid paying for SSL/TLS). This works on Dreamhost, but should work on pretty much any shared hosting provider that allows you to ssh into the server.

In short it takes a few hacks to get everything to play together and requires super user privileges on the machine you are connecting from, but does not require any special privileges on the remote server.

First establish a specific subdomain (or alternative domain) to ssh into (for example ssh.tidgubi.com). This will prevent DNS conflicts with the main domains (www.tidgubi.com and tidgubi.com).

Next edit your local hosts file. Create entries so your computer resolves your webserver to your local machine (127.0.0.1 www.tidgubi.com).

Login with an administrator account or console session (for a long time I didn’t realize you could just open a console and type login <admin_account>).

Create an ssh tunnel between your computer and your webserver by running command sudo ssh kenji@ssh.tidgubi.com -L 80:www.tidgubi.com:80
This command breaks down as follows:

  • sudo – requires root permissions to listen on local port 80
  • ssh – run the ssh client program
  • kenji@ssh.tidgubi.com – username and ssh server
  • -L – specifies local port forwarding
  • 80 – local port to listen for data on
  • www.tidgubi.com – remote webserver. This is resolved by the ssh server, so it does not conflict with the hosts file change
  • 80 – remote port to forward traffic to. Assuming you’re forwarding traffic to a standard webserver, this should be port 80

Notes

  • This does not work well if you try to use a different local port, because different servers and web-apps redirect traffic differently and may override explicitly set ports in the URL
  • This commands only forwards traffic coming from the local client. You can add the -g option to the ssh command if you want to allow other computers to send data to the webserver
  • Ideally you can ssh directly into your webserver, so the forwarded traffic does not get sent out on any network once it is plaintext again.

Next use .htaccess to restrict access to administrative pages.