Partial restriction of site access can be achieved at the application level.
When creating application-level restrictions, it’s important to take into consideration the VIP Platform’s page cache and to keep in mind that requests served from the cache will not run application code.
- Be careful not to restrict legitimate traffic. Always take time to confirm that the restriction logic will not block traffic intended be unrestricted.
- Application code to restrict requests should be added as a plugin in the
/client-mu-pluginsdirectory to ensure that restricted requests are blocked early.
- Requests blocked via application code are blocked at the origin, not the edge (load balancer). If a request is served from the cache at the edge, it does not reach the origin and cannot be restricted by application code.
- To restrict an entire environment to one or more IP addresses, the recommended approach is to use the VIP Dashboard’s IP Allow List feature as it does not depend on application code but rather blocks requests at the edge (load balancer).
- Any IP-based restrictions at the application level must allow requests from the Automattic network. Site access for VIP Support is required for a site to be fully supported.
Restricting access to the WordPress Admin by only allowing specific IP addresses
Before the WordPress authentication process, a visitor’s IP address can be checked against a list of allowed IPs using the WordPress
wp_authenticate hook. If the IP does not match, a
403 Forbidden header can be returned. See code example.
Restricting access to one or more URIs by only allowing logged-in users
What is restricted
Restrictions implemented at the application level via code allow for full control over which WordPress content and pages are restricted. However, these restrictions will only apply to content generated by WordPress; media and static assets will continue to be publicly accessible.
Content will also continue to be syndicated via Jetpack’s content distribution tools. To modify this behavior, review the available options to Control Content Distribution via Jetpack.