Restricted Site Access is a WordPress plug-in that allows you to restrict access to logged in users and a set of IP addresses with flexible restricted access behavior.
New version 3.1, added July 11, 2010! Be sure to notice we’ve moved the settings to the Privacy menu as of 3.0.
Download version 3.1 from the WordPress plug-in repository »
Description
Limit access your site to visitors who are logged in or accessing the site from a set of specific IP addresses. Send restricted visitors to the log in page, redirect them, or display a message. A great solution for Extranets, publicly hosted Intranets, or parallel development sites.
Adds a number of new configuration options to the Privacy settings panel. From this panel you can:
- Enable and disable access restriction at will
- Change the restriction behavior: send to login, redirect, or display a message.
- Add IP addresses not subject to restriction, including ranges.
- Quickly add your current IP to the restriction list.
- Control the redirect location.
- Choose to redirect visitors to the same path that they entered the current site on
- Choose the HTTP redirect message for SEO friendliness
- Customize the blocked visitor message.
Thanks to Eric Buth for adding IP range support to the code base!
Installation
- Install easily with the WordPress plugin control panel or manually download the plugin and upload the extracted
folder to the `/wp-content/plugins/` directory - Activate the plugin through the ‘Plugins’ menu in WordPress
- Configure the plugin by going to the “Privacy” menu item under “Settings”
Screenshots
Changelog and future enhancements are available here.
As always, feedback and suggestions are welcome!
This is a great tool. A useful additional feature would be to redirect users to the same path after they are redirected to the log in page.
Kellen – thanks for the feedback. I actually thought I already built it to that… is that not happening on your site?
When using the send to login page option on my site, the user currently arrives at the home page of my site after logging in rather than the path they had originally entered.
is there anyway to use this plugin to restrict access to a certain folder and it’s subfolders. I only want to restrict access to limited areas.
CyberSNAC – there are several additional features on the agenda, and we’ll consider path based restrictions too. We’re a bit swamped with client work at the moment; unfortunately, adding new features to the “free” projects have to wait a few weeks!
[...] Restricted Site Access: This plug-in prevents anyone from seeing the site without first logging in. We then created one generic username/password for my friend to give out to all his relatives (which is what we would have done using httpauth, too). [...]
Hi,
Great job ! Thanks !
However I found that with your plugin activated, I cannot use anymore XML-RPC connection to update my blog with the wordpress iphone app.
arnaud – what restriction method are you using? The restriction method will definitely block XML-RPC access. We’ll look at making that tag accessible in a future update.
Hi Jake,
Scratching my head at this stage, but I think you have the solution:) On the http://www.seit.ie website I want a members login (Admin – to activate access), once member has permission to access -Then and Only Then can they upload case studies / posts / queries / recommendations. I have been playing with WP members access but subscribers automatically can see / edit / respond to all posts.
I would appreciate the guidance.
Paul
Paul – I’m not sure I understand what you’re trying to do. This plug-in doesn’t do anything with respect to post *administration*. It’s simply a tool for limiting access to the front end of the site.
I’m sure what you’re seeking is “do-able” – just not with this plug-in.
If you have a meaningful budget and would like to contract us to support the need you’ve described, however, we’d be happy to help.
It would be great if instead of just IP addresses, you could list networks. I have a WP install that I’d like to let anyone on the LAN just use when they’re in the office, but require authentication if they’re on the outside.
I tried allowing 192.168.1.0/24, but it didn’t like that.
Steve – support for IP ranges is on the top of the road map. Unfortunately, the “free” projects can only get so much attention. If you need it quickly and there’s a small budget for the project, and you’re interested in “sponsoring” this feature, I could prioritize it and get it done within a day or two.
Hi,
Concerning the XML-RPC issue, I’ve founded a solution : deactivate your plugin before first connection (when setting the blog parameters in the wordpress iphone app) and then reactivate your plugin. I don’t understand why i need to do that…
Moreover I updated my wordpress this morning from 2.8.4 to 2.8.5 : it breaks your plugin : i have redirection issues, i cannot access anymore to my site or admin section. By removing your plugin (from ftp server directely) i reworks.
I am also very interested in IP range support. My budget at the moment is very small… but out of curiosity, what level of support would be needed to prioritize this feature?
Hi Jake,
Seems to be really busy ;-p
Could you just confirm that the plugin does not work on WP 2.8.5 ?
Arnaud – I’ve at least done basic testing of the plug-in on 2 sites running 2.8.5 without issue… can you elaborate on your problem?
Jake – Shame on me ! :-/ There was in fact a conflict with an other plugin named “login logout”. After removing it i could reactivate yours succesfully. Consequence : I trashed the other plugin and keep yours Sorry for the wrong bug report.
Hey – this sounds just like the function we are missing in WordPress! I can not spend any money, but how about helping out with programming?
(If you like, I could of course do a fork and send my code back to you afterwards…)
Greetz,
Oliver
Oliver – we’re pretty swamped right now, so plug-ins aren’t on the front burner. But if you can provide the PHP code that interprets something like “192.168.1.0/24″ (or any other ranges a user could enter) into a starting and ending IP address, it would help us get that feature in more quickly.
[...] a plugin that restricts anyone from logging into my site with an IP address different than my own (Restricted Site Access). Another popular plugin that allows for added security is WP Security Scan, which will actually [...]
We have an educational WordPressMU install where we’d like to use plugin manager to activate this plugin by default upon creation. Is there a way to hardcode the settings and IP range for this plugin so all new blogs get the same settings to start? Blog owners could then go and change the settings later if they wanted to. Thanks for your great work on this plugin!
Amy – if you want to modify the source code of the plug-in, you could certainly hardcode the IP ranges in instead of pulling the option from the setting panel.
If you’d like help, we could do this for you with just an hour’s budget. Use the “Request a Quote” button up top!
I really appreciate your secure access plugin. However, we have found a hack that bypasses it. if you execute a search query string, such as /?s=news, the search is executed and the search results page is rendered. Any way to close that hole? I have disabled search until we launch, but it was a really bad surprise to find when we got hacked.
Thanks for the plugin and your consideration.
Yikes – good catch. We’ll patch that up tonight!
Hi, I was wondering, does this plugin also restrict the ability for users to retrieve files that might be uploaded to a site? Im working on a site for a non-profit and we want to have Board documents available to those who log in, but no one else. We would give each board member a login; when their term is up, we terminate the login.
In short, no access to anything on the site, unless you have a login?
Thanks,
Jeff Miller
Jeff – great question.
Unfortunately, due to the way WordPress handles files, files are only hidden by obscurity. If someone has a direct link to an upload, theyll be able to retrieve, it regardless of whether theyre logged in / unblocked.
The only way around this would be to use htaccess level protection on that folder. I would have to modify the plugin to block direct access to files in that, and stream them through a PHP script for download.
Of course, this could be trickier than first blush might suggest. For instance, what about images embedded on a page? Streaming those in (instead of a plain old image src reference) would be confusing and complicated to implement. Perhaps there would be a checkbox for media items called secured file that would control which files can are blocked / have to be streamed. Of course, then they would also have to live in a seperate folder.
Ill investigate further, but theres no quick fix for this that I know of. If someone would like to fork the code to do this or sponsor the feature, it could get attention sooner!
Not to unjustifiably promote getting attention sooner, but I too am looking for the feature Jeff Miller suggests. Can’t fork myself and unlikely to fork-over for feature sponsorship. But I do like the plugin and will do a donation.
Dear Admin,
This is seems to be a nice plugin and I have the following questions.
1. I want to alllow every user to login only from their own IP address, Is this possible? This is to avoid sharing of login details.
2. If the number 1 question is possible, does this plugin do it automatically, or should I each user’s IP address? How to find users’ IP addresses?
Thanks a lot and I’m really hoping for your answer…. I tried restrict ip login but it does not give me what I need… Hope this plugin does..
Thanks a lot,
Raden
This is a nice and usefull plugin!
Would it be possible to extend the plugin, that users which have a certain string in their “browser user agent string”, can access the site too?
cu,
guido
Does this work with wordpressMU? I’ve installed it, followed the instructions, but it’s not restricting by IP address.
Hi,
I have just installed the Restricted Site Access, but when I load the page now, all I get is:
Warning: Cannot modify header information – headers already sent by (output started at /home/evergree/public_html/News/index.php:6) in /home/evergree/public_html/News/wp-includes/pluggable.php on line 868
I’m not really up on my scripting, little bit new to all this, but would you know what would cause such an error? any help would be much appreciated.
Stinky – it does not work MU at the moment, but we may look into upgrading it to support MU with the 3.0 release of WordPress.
How do you have the plug-in configured? Are you loading WordPress in from another script on your site?
Hi,
Wordpress is loading from the folders in which is was installed, to my knowledge i don’t think it loaded from anywhere else. i started by just activating the plug as is, so with no changes.
Does this restrict any of the search engines?
And is there a way for them to see the Home page then when they try to enter then be redirected?
my wordpress v2.9.2 PHP v5.2.6 ,but this plugin is not work , the msg:
Version 2.0 of this plug-in requires a server running PHP 5.1 or newer in order to support IPv6 (as well as IPv4) ranges. If you are using an older version of PHP and your host cannot be upgraded, and you do not need IP range support, you can always manually download and install version 1.0.2.
This will restrict all visitors, including search engines.
Currently it restricts the entire site, but a future update will enable exceptions (such as the home page).
Hello, Can I use this plugin to give users access to specific areas of the site? Say I have a private sandbox area for each of 10 clients, which only they should be able to view.
thank you!
Jake:
I’d also appreciate some form of selective folder/file restriction. My goal would be to allow all users/visitors to read blog entries, but require login for posting (current WP config option) and for file downloads from “restricted” folders and/or pages. This would allow the SE bots to continue to mine the site for new articles (translation: more juice), but still allow restricted access to selective content.
Thanks in advance for your consideration of these features. -Chris
Sorry, Yaco, but that’s not what this plug-in does! You could do it on your own using the API, attaching roles to page meta, and creating some new roles. If you need help doing this, and have a budget, get in touch!
Chris – that’s not really the goal of this particular plugin, and I don’t want to bloat the plugin. The goal is really to block sites intended for private (Intranet like) use or parallel development / sandbox sites from the general public. I intend to add page “exceptions” to the feature set, in case folks want just the home page or a help page available to the general public, but don’t intend for this plugin to get any more complicated than that.
That said, we’ve done exactly what you’ve described for several clients as part of their theme. If the files don’t need to be super secure (just hidden away), it’s pretty easily accomplished by creating a special page template that only shows content “below the fold” (more divider) if “is_user_logged_in()”.
If the files need to be locked down, you’ll have to upload those files in a special area either outside of the web root or htaccess locked down and stream them in with PHP. This adds a good bit of additional complexity.
Hi Jake,
I’ve tried version 2.1 with Wordpress 3.0 but had no luck. The plugin obviously thinks that the wrong php version is installed. But phpinfo() says that PHP Version 5.2.6 is installed. Any ideas?
Version 1.02 of your plugin seems to work with Wordpress 3.0
ran into a problem where the plugin wasn’t blocking anything, i modified line 147 and it appears to be working:
if((inet_pton($ip) && $mask) == ($remote_ip && $mask)) return false;
(previously had single ampersands.)
It would be very nice if the tool could check against referrer rather than ip- ranges
Matt – that’s not right. The bitwise operator is intentional. I’m not sure why the plug-in isn’t blocking anything, but that’s not the reason. That change will probably make the plug-in block everything, regardless of exceptions!
[...] relação ao primeiro item a restrição de acesso foi conseguida com o plugin : Restrict Site Access. Muito bom e [...]
Would it be possible to add a tick box to exclude the signup / register page from the exclusion? I’m running a WP MU site with buddypress which has means to keep people out of user blogs but not the front end. So, your plugin is great activated on the front blog to restrict access and divert to the login page but people registering are also diverted to the login page too.
Thanks
Clive – hoping to add an “exception” list function in a future update. In the mean time, you can always intercept the restriction behavior using the new action hook I added, check what page it is, and override the plugin’s default blocking behavior! Assuming you know how to work with WordPress hooks in your theme, this shouldn’t be too tricky.
Thanks for the reply Jake. I think the ‘hooks’ solution will be too complicated for me BUT I’m not in a desperate hurry so I can wait for the ‘exception’ version.
I activated this plugin on wp3.0 for one site. It appeared to take effect for all sites (i have 2 domains) so I tried to disable and remove it, but access is still blocked. Removing the plugin doesn’t help. Now my site is essentially down. How can I manually remove whatever it installed? Thanks in advance.
Kenny – I’m confused by your situation (the plug-in doesn’t block log-in or admin pages) but you can always manually rip it out by deleting the plug-in folder in your “plug-ins” directory.
Furthermore, unless you install it in the multi-site plug-ins folder, the hooks which block the site should only be active within the site you installed for…