Restricted Site Access is a WordPress plug-in that allows you to restrict access to logged in users and a set of IP addresses with flexible restricted access behavior.
New major update, versionĀ 2.1, added February 10, 2010!
Download version 2.1 from the WordPress plug-in repository Ā»
Description
Limit access your site to visitors who are logged in or accessing the site from a set of specific IP addresses. Send restricted visitors to the log in page, redirect them, or display a message. A great solution for Extranets, publicly hosted Intranets, or parallel development sites.
It includes an easy to use configuration panel inside the WordPress settings menu. From this panel you can:
- Enable and disable access restriction at will
- Change the restriction behavior: send to login, redirect, or display a message.
- Add IP addresses not subject to restriction, including ranges.
- Quickly add your current IP to the restriction list.
- Control the redirect location.
- Choose to redirect visitors to the same path that they entered the current site on
- Choose the HTTP redirect message for SEO friendliness
- Customize the blocked visitor message.
Version 2.0 is a major update. In addition to adding IP range support, there are significant UI and usability
improvements, and many other under the hood improvements to the code base. Thanks to Eric Buth for adding IP range support to the code base!
Requires PHP 5.1+ to support IPv6 ranges. Download version 1.0.2 if IP ranges are not needed and the host is not
running PHP 5.1 or newer.
Installation
- Install easily with the WordPress plugin control panel or manually download the plugin and upload the extracted
folder to the `/wp-content/plugins/` directory - Activate the plugin through the ‘Plugins’ menu in WordPress
- Configure the plugin by going to the “Restricted Access” menu item under “Settings”
Screenshots
Changelog
v1.0.1 – Important fundamental change related to handling of what should be restricted
v1.0.2 – Fix login redirect to home; improve redirect handling to take advantage of wp_redirect function
v2.0 – Add support for IP ranges courtesy Eric Buth; major UI changes and improvements; major code improvements
v2.1 – Customize blocked visitor message; Stronger security (patched “search” hole); Better display / handling of blocked visitor message
Planned Enhancements
- Restriction based on user level (vs is logged in)
- Exclude pages or posts from restrictions
As always, feedback and suggestions are welcome!
This is a great tool. A useful additional feature would be to redirect users to the same path after they are redirected to the log in page.
Kellen – thanks for the feedback. I actually thought I already built it to that… is that not happening on your site?
When using the send to login page option on my site, the user currently arrives at the home page of my site after logging in rather than the path they had originally entered.
is there anyway to use this plugin to restrict access to a certain folder and it’s subfolders. I only want to restrict access to limited areas.
CyberSNAC – there are several additional features on the agenda, and we’ll consider path based restrictions too. We’re a bit swamped with client work at the moment; unfortunately, adding new features to the “free” projects have to wait a few weeks!
[...] Restricted Site Access: This plug-in prevents anyone from seeing the site without first logging in. We then created one generic username/password for my friend to give out to all his relatives (which is what we would have done using httpauth, too). [...]
Hi,
Great job ! Thanks !
However I found that with your plugin activated, I cannot use anymore XML-RPC connection to update my blog with the wordpress iphone app.
arnaud – what restriction method are you using? The restriction method will definitely block XML-RPC access. We’ll look at making that tag accessible in a future update.
Hi Jake,
Scratching my head at this stage, but I think you have the solution:) On the http://www.seit.ie website I want a members login (Admin – to activate access), once member has permission to access -Then and Only Then can they upload case studies / posts / queries / recommendations. I have been playing with WP members access but subscribers automatically can see / edit / respond to all posts.
I would appreciate the guidance.
Paul
Paul – I’m not sure I understand what you’re trying to do. This plug-in doesn’t do anything with respect to post *administration*. It’s simply a tool for limiting access to the front end of the site.
I’m sure what you’re seeking is “do-able” – just not with this plug-in.
If you have a meaningful budget and would like to contract us to support the need you’ve described, however, we’d be happy to help.
It would be great if instead of just IP addresses, you could list networks. I have a WP install that I’d like to let anyone on the LAN just use when they’re in the office, but require authentication if they’re on the outside.
I tried allowing 192.168.1.0/24, but it didn’t like that.
Steve – support for IP ranges is on the top of the road map. Unfortunately, the “free” projects can only get so much attention. If you need it quickly and there’s a small budget for the project, and you’re interested in “sponsoring” this feature, I could prioritize it and get it done within a day or two.
Hi,
Concerning the XML-RPC issue, I’ve founded a solution : deactivate your plugin before first connection (when setting the blog parameters in the wordpress iphone app) and then reactivate your plugin. I don’t understand why i need to do that…
Moreover I updated my wordpress this morning from 2.8.4 to 2.8.5 : it breaks your plugin : i have redirection issues, i cannot access anymore to my site or admin section. By removing your plugin (from ftp server directely) i reworks.
I am also very interested in IP range support. My budget at the moment is very small… but out of curiosity, what level of support would be needed to prioritize this feature?
Hi Jake,
Seems to be really busy ;-p
Could you just confirm that the plugin does not work on WP 2.8.5 ?
Arnaud – I’ve at least done basic testing of the plug-in on 2 sites running 2.8.5 without issue… can you elaborate on your problem?
Jake – Shame on me ! :-/ There was in fact a conflict with an other plugin named “login logout”. After removing it i could reactivate yours succesfully. Consequence : I trashed the other plugin and keep yours
Sorry for the wrong bug report.
Hey – this sounds just like the function we are missing in WordPress! I can not spend any money, but how about helping out with programming?
(If you like, I could of course do a fork and send my code back to you afterwards…)
Greetz,
Oliver
Oliver – we’re pretty swamped right now, so plug-ins aren’t on the front burner. But if you can provide the PHP code that interprets something like “192.168.1.0/24″ (or any other ranges a user could enter) into a starting and ending IP address, it would help us get that feature in more quickly.
[...] a plugin that restricts anyone from logging into my site with an IP address different than my own (Restricted Site Access). Another popular plugin that allows for added security is WP Security Scan, which will actually [...]
We have an educational WordPressMU install where we’d like to use plugin manager to activate this plugin by default upon creation. Is there a way to hardcode the settings and IP range for this plugin so all new blogs get the same settings to start? Blog owners could then go and change the settings later if they wanted to. Thanks for your great work on this plugin!
Amy – if you want to modify the source code of the plug-in, you could certainly hardcode the IP ranges in instead of pulling the option from the setting panel.
If you’d like help, we could do this for you with just an hour’s budget. Use the “Request a Quote” button up top!
I really appreciate your secure access plugin. However, we have found a hack that bypasses it. if you execute a search query string, such as /?s=news, the search is executed and the search results page is rendered. Any way to close that hole? I have disabled search until we launch, but it was a really bad surprise to find when we got hacked.
Thanks for the plugin and your consideration.
Yikes – good catch. We’ll patch that up tonight!
Hi, I was wondering, does this plugin also restrict the ability for users to retrieve files that might be uploaded to a site? Im working on a site for a non-profit and we want to have Board documents available to those who log in, but no one else. We would give each board member a login; when their term is up, we terminate the login.
In short, no access to anything on the site, unless you have a login?
Thanks,
Jeff Miller
Jeff – great question.
Unfortunately, due to the way WordPress handles files, files are only hidden by obscurity. If someone has a direct link to an upload, theyll be able to retrieve, it regardless of whether theyre logged in / unblocked.
The only way around this would be to use htaccess level protection on that folder. I would have to modify the plugin to block direct access to files in that, and stream them through a PHP script for download.
Of course, this could be trickier than first blush might suggest. For instance, what about images embedded on a page? Streaming those in (instead of a plain old image src reference) would be confusing and complicated to implement. Perhaps there would be a checkbox for media items called secured file that would control which files can are blocked / have to be streamed. Of course, then they would also have to live in a seperate folder.
Ill investigate further, but theres no quick fix for this that I know of. If someone would like to fork the code to do this or sponsor the feature, it could get attention sooner!
Not to unjustifiably promote getting attention sooner, but I too am looking for the feature Jeff Miller suggests. Can’t fork myself and unlikely to fork-over for feature sponsorship. But I do like the plugin and will do a donation.