I have a wordpress site I wanted to block access to temporarily and added order deny,allow to the .htaccess file:
RewriteEngine off
order deny,allow
deny from all
allow from [my ip]
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
However, it didn’t work.
I tried moving it to below the rewrite rules:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
RewriteEngine off
order deny,allow
deny from all
allow from [my ip]
And is started working.
Why doesn’t it work in the first example?
In WordPress htaccess, this comments:
Are used by WordPress to dynamically add additional rules. If you look into
wp-admin/includes/misc.php, there is a function namedsave_mod_rewrite_ruleswhich handle the writing of your htaccess. Inside this function the rules are get from themod_rewrite_rulesmethod ofWP_Rewrite, a class located inwp-includes/rewrite.php. If you look into that method you will see that line on the end:It means that a filter is applied on the rules, so whatever plugin / theme can override this rules to add his own, and so add access policy. Maybe WP core add his own deny/allow rules. So maybe this is your problem here.
An alternative solution to
allow, denyrules is to use aRewriteCondto throw a 403 for all IP other than your (put this on the top of your htaccess):