Restricting access to a site hosted on VIP Go

VIP Go platform specific

This document is for sites running on VIP Go.

Learn more

Overview #

There are many different ways to restrict access to your applications and environments on VIP Go. Here, we review the various techniques available. Note: the IP Allow List and Basic Authentication access restriction methods cannot both be active at the same time. If you attempt to activate them both, Basic Authentication will take precedence.

↑ Top ↑

Techniques for Restricting Access #

Restricting by IP (Full Site) #

When and how to use: If you want to completely restrict access to the entire site to a defined list or range of IP addresses (i.e. subnets) for your team, use the IP Allow List feature. Common implementations are for sites with highly sensitive content, intranets, and non-production environments.

What is restricted: Once enabled, any requests from IP addresses outside of the allowed range will be rejected with a 403 response from our CDN.

The restriction applies to all requests to the environment: cached and uncached requests, static files, media files, and dynamically generated content.

Content is also blocked from Jetpack’s content distribution tools. To change this behavior, please see “Controlling Content Distribution via Jetpack”.

Considerations: For added protection, you can also require all users to log in before accessing the site (see “Restricting via Authentication (Full Site)” below).

↑ Top ↑

Restricting by IP (Partial Site) #

When and how to use: If you want to restrict access to certain parts of the site (e.g. WordPress Admin) to a defined list or range of IP addresses, you can do so at the application level.

For this to work, users must be logged in to access the restricted portions of the site. This is to avoid the caching and leaking of restricted content.

To enforce this, hook into the WordPress login flow and all subsequent logged in requests, and reject access if the user is not visiting from an authorized IP address.

What is restricted: Since the restrictions are implemented at the application level (i.e. your code), you have full control over which WordPress content and pages should be restricted.

Please note that the restrictions will only apply to content generated by WordPress–media and static assets will continue to be publicly accessible.

Content will also continue to be syndicated via Jetpack’s content distribution tools. To change this behavior, please see “Controlling Content Distribution via Jetpack”.

Considerations: In order for the VIP team to support your site, any IP enforcements at the application level should allow requests from our network. This can be done by checking for and allowing requests when true === A8C_PROXIED_REQUEST – you can use the utility function is_proxied_request().

↑ Top ↑

Restricting via Basic Auth (Full Site) #

When and how to use: If you want to restrict access to the entire site in the form of a username/password challenge, you can use our Basic Auth feature.

This is useful when you do not have a static list or range of IP addresses for your team. Common uses for Basic Auth are non-production/test environments and pre-launch production environments that are under development.

What is restricted: Once enabled, any requests without the proper username and password combination will be rejected.

The restriction applies to all requests to the environment: cached and uncached requests, static files, media files, and dynamically generated content.

Content is also blocked from Jetpack’s content distribution tools. To change this behavior, please see “Controlling Content Distribution via Jetpack”.

↑ Top ↑

Restricting via Authentication (Full Site) #

When and how to use: If you want to restrict access to authenticated users only, you can use one of the many WordPress plugins that support this functionality like Force Login or Registered Users Only. If your organization has a Single Sign On (SSO) system, you can simplify the login process for your team by integrating it into the login flow.

What is restricted: Once enabled, logged out users would be required to login and verify permissions before being able to access the site.

Please note that the restrictions will only apply to content generated by WordPress. Media and static assets will continue to be publicly accessible.

Content will also continue to be syndicated via Jetpack’s content distribution tools. To change this behavior, please see “Controlling Content Distribution via Jetpack”.

↑ Top ↑

Restricting via Authentication (Temporary) #

When and how to use: If you want to temporarily restrict access to a site (e.g. site under development or for pre-launch configuration), you can use the Maintenance Mode plugin.

What is restricted: After installing and configuring the plugin, only users with Author-level access and above can access the site.

Please note that the restrictions will only apply to content generated by WordPress. Media and static assets will continue to be publicly accessible.

Content will also continue to be syndicated via Jetpack’s content distribution tools. To change this behavior, please see “Controlling Content Distribution via Jetpack”.

↑ Top ↑

Controlling Content Distribution via Jetpack #

Jetpack adds a suite of powerful security, performance, and marketing tools to all VIP sites, including various tools to aid in content consumption, distribution, and syndication. These include:

For sites with restricted access, you may want to change the behavior of these tools depending on your specific use cases.

↑ Top ↑

Enabling Content Distribution #

For sites that rely on IP Allow List or Basic Auth to restrict access, we automatically disable Jetpack’s content distribution tools. This means that content is blocked from being:

  • Accessed via the WordPress.com REST API or Jetpack Search via unauthenticated requests;
  • Consumed via the WordPress.com Reader; and
  • Syndicated via the WordPress.com Firehose.

If you would prefer to leave your site restricted but will still like your content to be distributed via Jetpack, you can add the following code snippet to your vip-config.php file:

if ( ! defined( 'VIP_JETPACK_IS_PRIVATE' ) ) {
define( 'VIP_JETPACK_IS_PRIVATE', false );
}

Within 30 minutes, the default content distribution features that are included with Jetpack will be restored

If you would like to fine-tune which content distribution features are enabled, you can do so using the jetpack_get_available_modules filter.

↑ Top ↑

Disabling Content Distribution #

For sites that rely on restricting access via plugins or mechanisms that aren’t native to the VIP Platform (like paywalls), you may want to restrict content distribution via Jetpack.

To do so, you can add the following code snippet to your vip-config.php file:

if ( ! defined( 'VIP_JETPACK_IS_PRIVATE' ) ) {
define( 'VIP_JETPACK_IS_PRIVATE', true );
}

To restrict content distribution for select subsites in a Multisite, you can do that by targeting the subsite. Here is an example for a Subdomain Multisite:

if ( 'subsite.example.com' === $_SERVER['HTTP_HOST'] ) {
    define( 'VIP_JETPACK_IS_PRIVATE', true );
}

or for a Subfolder Multisite

if ( 'example.com' === $_SERVER['HTTP_HOST'] && 0 === strpos( $_SERVER['REQUEST_URI'], '/subsite/' ) ) {
    define( 'VIP_JETPACK_IS_PRIVATE', true );
}

Within 30 minutes, content will no longer be accessible via Jetpack’s default content distribution features.

Please note, disabling Jetpack Content Distribution will block content from being accessible through the Jetpack Search API. Therefore, WordPress will fall back to its standard database search. You can configure Jetpack Search to make content accessible via authenticated requests by using the snippet provided in our documentation to your client-mu-plugins directory. You’ll also want to make sure that Jetpack Search is activated within your codebase.

↑ Top ↑

Non-production Environments #

Any applications created after August 28, 2020 (with new GitHub repos) will have Content Distribution disabled by default in their non-production environments.

If you’d like to keep Content Distribution enabled for these environments or tweak their behavior, please follow instructions in the sections above.

Ready to get started?

Drop us a note.

No matter where you are in the planning process, we’re happy to help, and we’re actual humans here on the other side of the form. 👋 We’re here to discuss your challenges and plans, evaluate your existing resources or a potential partner, or even make some initial recommendations. And, of course, we’re here to help any time you’re in the market for some robust WordPress awesomeness.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.