Forum Topic: Questions on the proper way to allow and deny

Forum: .htaccess Forum : WordPress • Posted by Yael Miller • Updated:

Looking at Section 7.6:

I think that if I want to mostly allow people and only deny some, it’s

Order Allow,Deny

but if I want to mostly deny people and only allow some, it’s

Order Deny,Allow

This is correct?

If it’s correct, then the below is correctly setup:

# protect xmlrpc
<Files xmlrpc.php>
	Order Deny,Allow
	Deny from all
</Files>

But I have the below in my .htaccess and I don’t think it’s correct because it’s in the wrong order:

# protect wp-config.php
<Files wp-config.php>
	Order Allow,Deny
	Deny from all
</Files>

Is this correct or not?

I want to only allow people from my IP to access wp-login.php so I would do:

# protect wp-login
<Files wp-login.php>
	Order Deny,Allow
	Deny from all
	Allow from (my IP Address)
</Files>

Is this correct?

4 Replies to “Questions on the proper way to allow and deny”

Posted by Jeff Starr

Okay excellent questions.

  1. You are correct about the order of Deny/Allow directives
  2. For wp-config.php and other files that you want to protect, you can just add Deny from all (When you are denying from all as the last directive, it shouldn’t matter which order the Allow/Deny directives are in.)
  3. Your logic for wp-login looks correct :)
Posted by Yael Miller •

When you are denying from all as the last directive, it shouldn’t matter which order the Allow/Deny directives are in.

To clarify:

# wp-config.php
<Files wp-config.php>
	Order Allow,Deny
	Deny from all
</Files>

The above works but if I want to avoid confusing myself I can use the below, correct?

# wp-config.php
<Files wp-config.php>
	Order Deny,Allow
	Deny from all
</Files>
Posted by Jeff Starr

Yes either should work. The difference is that the latter makes it possible to go on to allow from specific IPs, etc. Whereas that’s not possible with the former (with Allow first).

Posted by Yael Miller •

Thanks.