Easily Updating IP Address in .htaccess file From DNS Record

IP Address white-listing is one of effective way to tighten security on restricted area. Unfortunately, if your IP address is not static one, or you are working from various places, manually updating .htaccess file to accomodate your IP address change -every single time – is not very convenient.

Why Direct Domain Whitelisting is Not Recommended

updateht.php is a simple php script that update whitelisted IP Address based on DNS record in .htaccess files. For example, if your static IP address is 123.12.23.34, to protect wp-login.php in WordPress (so only your computer can access the file) you can put the following code in your .htaccess:

<files wp-login.php>
    order deny,allow
    deny from all 
    allow from 123.12.23.34
</files>

Now, if you are using dynamic IP address or have to access the server from various places (which also not using static IP address), the usual trick to make the security measure above is to use a dynamic DNS (Domain Name Service) to bind your current IP address to the domain name. For example:

<files wp-login.php>
    order deny,allow
    deny from all 
    allow from my-dynamic-access.duckdns.org
</files>
www security

World wide web Security Is Crucial

There are problems with this methods, some of them:

  1. Your host i.e Apache server need to enable the DNS reverse lookup capability. Some disabling this to make the server run faster.
  2. Even if the DNS reverse lookup is active, the chance is, it will not resolved to your dynamic dns domain name. Say you have updated “my-dynamic-access.duckdns.org”‘s A record to to 123.12.23.34 (your current IP address). When you access the server, it will see the IP address first and it could resolve to the name given by the owner of the ip address, such as “123-12-23-34.your-isp.com” hence failing the above code and you cannot access wp-login.php
  3. And the consequences of this method is , there will be some overhead time required to resolve the IP address, i.e: slow down the server big time.

Introducing updateht.php

So, this updateht.php below could be the answer. This script has been accustomed to match the usual wordpress structure that protect wp-login.php as login script, and directory /wp-admin/ as the restricted area. updateht.php code:

<?php
function UpdateIP($filename){
 
$domainname = "";
$row = "";
$returnvalue = 1;
$tempfile = $filename.".temp";
$tokenfound = 0;
$tokencount = 0;

copy ($filename,$filename.".orig");

if ($file=fopen($filename,"r")){
 if ($output=fopen($tempfile,"w")){
 while(!feof($file) && $row = fgets($file)) {
 if( preg_match('/^\#DNSaccessDomain ([0-9A-Za-z\.\-]+)(\s*|\s.*)$/', $row, $domainname) ){
 $tokenfound = 1; 
 $dnslookupresult= gethostbyname($domainname[1]);
 print $dnslookupresult."<br/>";
 } else {
 if ($tokenfound==1) {
 $row = "allow from $dnslookupresult\n";
 $tokenfound=0;
 $tokencount++;
 }
 }
 if (!fwrite($output,$row)) $returnvalue = 0;
 }
 if (!fclose($file)) $returnvalue = 0;
 if (!fclose($output)) $returnvalue = 0;
 
 if ($tokencount==0) {
 print "entry not found<br/>";
 $returnvalue = 0;
 } 
 } else $returnvalue = 0;
} else $returnvalue = 0;

if ($returnvalue) {
 unlink($filename);
 copy ($tempfile,$filename);
 unlink($filename.".orig");
 unlink($tempfile);
}
return ($returnvalue);
}

// Program Start
if (UpdateIP(".htaccess")) print "OK<br/>";
if (UpdateIP("wp-admin/.htaccess")) print "OK<br/>";
?>

The code in htaccess snippet that protect wp-login.php is as follow:

<files wp-login.php>
order deny,allow
deny from all
#DNSaccessDomain my-dynamic-access.duckdns.org
allow from 0.0.0.0
</files>

The code in htaccess snippet in wp-admin directory is as follow:

order deny,allow
deny from all
#DNSaccessDomain my-dynamic-access.duckdns.org
allow from 0.0.0.0 

How the script works is pretty straight forward. It will look for “#DNSaccessDomain” pattern (make sure it starts at first column), take the next string on that line to be the domains, get the ip address of that domain, and write the ip address in the next line. Notes: as some of us start migrating from Order, Allow, Deny to Require, the script above can be easily adapted to the new command.

After running the script, the .htaccess snippet become: (that 0.0.0.0 is replace with the current ip address of the domain)

<files wp-login.php>
order deny,allow
deny from all
#DNSaccessDomain my-dynamic-access.duckdns.org
allow from 123.12.23.34
</files>

and .ht access in /wp-admin/ becomes:

order deny,allow
deny from all
#DNSaccessDomain my-dynamic-access.duckdns.org
allow from 123.12.23.34 

To create the script: copy the code of updateht.php above, paste them in your code-editor, save it as “updateht.php” and uplod or FTP-it to your server root directory. Then modify both .htaccess in root directory (to protect wp-login.php) and /wp-admin/ by inserting “#DNSaccessDomain [your dynamic dns domain]” right above the “allow from x.x.x.x”.

So, every time you want to access the admin area, what you need to do is:

  1. Update your dynamic DNS service to reflect the current IP address
  2. Run http://[yourwebsite]/updateht.php (and expect 2 “OK”s that update both wp-login.php protection, and wp-admin protection.

Just make sure that the script is allowed to access the files in directory i,e: open, copy, delete, write file. Usually this related with the privileged of the webserver “user” (the user that run the http service need to be the same that own the directory/files and have write access). If this become a problem, you need to contact your hosting provider for help.

To see the bigger picture of how this script can help you in securing your server, please read Easy and Effective Way to Protect Admin/Login Area of Your WordPress (or Any Website).

Feel free to adapt, alter, modify, extend, enhance the script’s idea for your implementation – no credit required 🙂 – have a good one!

A few notes:

  • Some of you might think to run this script regularly using cron job. My opinion on this is, dont do that. Why? The idea is to make server faster and have lighter load. Let say you change ip address every day, then that’s 7 times a week. So, why run the script every 15 minutes (or faster) that translate to 672 executions (or more) because we are too lazy to do few clicks on our bookmark ?
  • Depends on the setting of your dynamic dns provider, there will be time (~10 minutes at duckdns.org) that need to be passed before the DNS entry is expired and the resolver need to update the address rather than getting it from cache.

.

Be Sociable, Share!

 

Comments

Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!





Newsletter Subscription

Get website update right into your mail box! And rest asure we respect your privacy and will never abuse your trust with your email address.
 
SIGN UP now! It's Free..