Skip to content

Restricting site access

Partial restriction of site access

Partial restriction of site access can be achieved at the application level.

When creating application-level restrictions, it’s important to take into consideration the VIP Platform’s page cache and to keep in mind that requests served from the cache will not run application code.

Considerations

  • Be careful not to restrict legitimate traffic. Always take time to confirm that the restriction logic will not block traffic intended be unrestricted.
  • Application code to restrict requests should be added as a plugin in the /client-mu-plugins directory to ensure that restricted requests are blocked early.
  • Requests blocked via application code are blocked at the origin, not the edge (load balancer). If a request is served from the cache at the edge, it does not reach the origin and cannot be restricted by application code.
  • To restrict an entire environment to one or more IP addresses, the recommended approach is to use the VIP Dashboard’s IP Allow List feature as it does not depend on application code but rather blocks requests at the edge (load balancer).
  • Any IP-based restrictions at the application level must allow requests from the Automattic network. Site access for VIP Support is required for a site to be fully supported.

Common methods

Restricting access to the WordPress Admin by only allowing specific IP addresses

Before the WordPress authentication process, a visitor’s IP address can be checked against a list of allowed IPs using the WordPress wp_authenticate hook. If the IP does not match, a 403 Forbidden header can be returned. See code example.

Restricting access to one or more URIs by only allowing logged-in users

By using the WordPress init hook, the current URI of each request can be compared to a restricted list of paths and a 403 Forbidden header returned if the visitor is not logged in. See code example.

What is restricted

Restrictions implemented at the application level via code allow for full control over which WordPress content and pages are restricted. However, these restrictions will only apply to content generated by WordPress; media and static assets will continue to be publicly accessible.

Content will also continue to be syndicated via Jetpack’s content distribution tools. To modify this behavior, review the available options to Control Content Distribution via Jetpack.

Last updated: April 05, 2022