A little bit of extra security is never a bad thing. If you need to restrict access to a particular part of your WordPress site, you can easily add access rules from directly within Pagely's Atomic control panel.
An important thing to note is that access controls here differ from plugin or other code solutions. Since these rules act on the ARES gateway level, blocked requests don't take up any server resources to perform. This makes them much more efficient in protecting the WordPress admin or staging/development sites.
In this article, we'll show you how to create access rules to protect your WordPress sites.
Creating an Access Rule in Atomic
- Start by logging into the Atomic control panel.
- Next, access your app list by clicking on Apps within the left side menu.
- From here, find the app that you want to create access rules for, then click on the settings icon to the right of the app's name.
- Now that you're inside the App Details page, navigate to the ARES tab to access your ARES gateway rules.
- The first section that appears in the ARES tab should be the Access Control section. If not, go ahead and navigate to it.
Since we're going to be creating a new access rule, let's click on the New Access Rule button at the top-right of the section.
- The first thing we'll need to define when creating an access rule is the location that the rule will be applied to.
There are a few different path options you can select:- All: The rule will apply to your entire site. This is a good option for staging and development environments.
- wp-admin + wp-login.php (with exclusions): Applies the rule to paths within wp-admin as well as the wp-login.php file, with exclusions. This is recommended for most sites.
- wp-admin + wp-login.php: The same as above, but without any exclusions.
This includes admin-ajax.php, which handles various client-side functionality in many plugins and themes, so you'll want to test this one first within a staging environment if you select it. - wp-admin (with exclusions): This rule will apply to all paths within wp-admin, with exclusions.
- wp-admin: The rule will apply to all paths inside wp-admin.
This includes admin-ajax.php, which handles various client-side functionality in many plugins and themes, so you'll want to test this one first within a staging environment if you select it. - wp-login.php: This rule will apply to wp-login.php, but will not impact any of the wp-admin paths.
- Custom: The rule will apply to a custom path entered within the field. For example, /my-secret-directory.
For the purposes of this article, we're going to select the second option to secure our admin without any potential side effects of blocking admin-ajax.php.
- After we've defined where the access rule will be applied, we'll define how the access rule will be applied.
For this, there are a few different options:- Auth: This option will require a username and password to access the destination, more formally known as basic HTTP authentication.
Note: Be careful when protecting locations that may load content from a CDN, such as pages on the front end of your site. Doing so can sometimes cause unintended consequences. - IP List: This option will allow you to either allow or block traffic from a list of IP addresses. This form of protection can be great if your location is only accessed from certain places, such as an office building.
- Geo: This option will allow you to block or allow different geographic locations. For example, if you only do business in the US, you might choose to block all other countries
In this example, we're going to restrict the WordPress admin to US traffic only, so we're going to enable the Geo option, select Only allow traffic, then add United States of America to the list.
- Auth: This option will require a username and password to access the destination, more formally known as basic HTTP authentication.
- After your changes are made, don't forget to use the Save button to save your rule.
- Finally, deploy your rules to the server with the Deploy Changes button.
Your access control rules has now been applied! Be sure to check your rules after deploying to make sure they're working properly.