DEV Community

Shriji
Shriji

Posted on

Headless WordPress + Sapper, JAMstack Security (Part 6)

Now that you have the complete frontend that works independent of WordPress you can completely rid the PHP frontend of WordPress and use only as a backend.

#1 Security

Preventing access to wp-admin and wp-login.php by IP address and forbid access. This requires you to modify the .htaccess file on your WordPress instance you need to add these rules.

Note, 10.0.0.1 should be replaced with your current IP if you need to allow access to multiple IP addresses if you have several authors then you need to add extra allow from 11.0.0.1.

<Files wp-login.php>
order deny,allow
deny from all
allow from 10.0.0.1
</Files>
Enter fullscreen mode Exit fullscreen mode

But if you are behind Cloudflare like me then the above configuration will not work you need to do something like this.

SetEnvIF CF-Connecting-IP "10.0.0.1" MySecretIP
<Files wp-login.php>
order allow,deny
allow from env=MySecretIP
</Files>
Enter fullscreen mode Exit fullscreen mode

If you try going to your wp-admin from another IP (test via mobile data) you will hit 403 Forbidden.

#2 Ditching the WordPress frontend

The final step, getting rid of WordPress frontend, assuming you already have YOUR-DOMAIN pointing to WordPress you might need to move to something like SUBDOMAIN.YOUR-DOMAIN and have YOUR-DOMAIN pointed to your Sapper frontend. Easiest way is to use any migration plugins to move to your subdomain so that you don't mess much with the delicate backend and if you have the WordPress.com version then you will have an easier time with this because you can consume the APIs from your custom WordPress URL.

Also do not forget to change the API Endpoints on your .env file.

Here is my repo. The trash folder has the default blog of Sapper.

https://github.com/peopledrivemecrazy/Sapper-WordPress

Here is the Sapper version of the site https://sapper.anoram.com/

Top comments (0)