1. Jesse Lavery says:

    So are you (more or less) locking down WP access to on-campus only? Have you gotten push-back that people can’t use it off-campus? Or are you using a VPN or similar for that?

    • We do allow users to login to the campus network using VPN. Then, they can login to WordPress. We just implemented this restriction last week, so we’ve yet to see major backlash; the few people that stumbled onto the issue so far have been very understanding. The biggest issue we’ll face is with the handful of users (mostly students) that aren’t allowed access to VPN.

      With the consulting I’ve done for other schools, I can tell you that it’s fairly common to require people to be behind the firewall before letting them login to WordPress. Of the three major schools I’ve done a lot of work with, only one of them lets me login without having to go through their VPN connection first.

      As a side note; one other warning I forgot to mention in the article is that you just want to restrict access to wp-login.php. If you restrict access to the whole wp-admin folder, you have a higher chance of AJAX requests failing (since they have to go through wp-admin in order to work).

  2. In my environment at Dawson College, the wp-admin folder is locked down along with wp-login.php. We’ve found that we were still getting hit at the root of /wp-admin/.

    We’re mitigating that on the nginx level by having a location rule for wp-login.php with ip allows. Then a separate location rule for wp-admin but with an allow on wp-admin/admin-ajax.php. Seems to be working in our setup.

Leave a Reply