Whitelisting IPs leads to 403 errors on logout

Well you have confirmed exactly what the issue is: The IP addresses that you are whitelisting are not your actual IP addresses. The only other thing I can think of to explain something like that would be you are using a Proxy or VPN software that is changing your IP address or I have also found that this problem occurs just by using VPN software in general due to the nature of how VPN tunnel encryption works.

If the IP based blocking method just does not work for you at all then you can switch to this other method that achieves that exact same thing without having to mess around with IP addresses.

Simple Query String Login page protection:
https://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/

Thanks again for all your help in troubleshooting this issue which I have now resolved.

After more testing and more research today I learned that, as speculated in my first post, and as you suggested as a possibility in this post, the issue was due to using CloudFlare.

The IP whitelisting code that I was previously using, and the similar code that this BPS thread suggests using, does not work when using a service like CloudFlare, because Apache can’t see my (the visitor’s) IP address. By replacing my previous code with the following code, Apache now reads my IP address (and any others I list) and sets the allowedip environment variable which is then whitelisted on the last line.

<FilesMatch "^(wp-login\.php)">
SetEnvIf X-FORWARDED-FOR xxx.xxx.xxx.xxx allowedip
SetEnvIf X-FORWARDED-FOR yyy.yyy.yyy.yyy allowedip
SetEnvIf X-FORWARDED-FOR zzz.zzz.zzz.zzz allowedip
order deny,allow
deny from all
allow from env=allowedip
</FilesMatch>

These links (for example) give more detail:
https://blog.ergatides.com/2011/09/07/securing-wordpress-dashboard-using-htaccess-behind-cloudflare-or-any-other-cdn/
https://www.mickgenie.com/securing-website-through-htaccess-behind-cloudflare-or-cdn/

Assuming you don’t see any downside to the solution I have come up with, I think it would be a good idea to add this information in a BPS FAQ (perhaps in this thread?) to help others who are tearing their hair out as I was – especially as more people are likely to start using a service like CloudFlare or another CDN service.

Great Job on figuring this out! And yep I will add this info plus additional info on the BPS Brute Force Login protection Forum page regarding Cloud/Proxy/VPN etc.

Wiki info on X-Forwarded-For
https://en.wikipedia.org/wiki/X-Forwarded-For

The general format of the field is:
X-Forwarded-For: client, proxy1, proxy2

So as long as your are using the “client” IP address then everything will work. The 2nd, 3rd proxy IP addresses would not work.

Notes:
You can use SetEnvIf X-FORWARDED-FOR inside or outside of the FilesMatch section of code.

You would want to use Order Allow,Deny and NOT Order Deny,Allow
https://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#order

Allow,Deny
First, all Allow directives are evaluated. At least one must match, or the request is rejected.
Next, all Deny directives are evaluated. If any matches, the request is rejected.
Last, any requests which do not match an Allow or a Deny directive are denied by default.

Deny,Allow
First, all Deny directives are evaluated. If any match, the request is denied unless
it also matches an Allow directive. Any requests which do not match any Allow or Deny directives are permitted.

To be 100% technically code correct…

<FilesMatch "^(wp-login\.php)">
SetEnvIf X-FORWARDED-FOR "^xxx\.xxx\.xxx\.xxx$" allowedip
SetEnvIf X-FORWARDED-FOR "^yyy\.yyy\.yyy\.yyy$" allowedip
SetEnvIf X-FORWARDED-FOR "^zzz\.zzz\.zzz\.zzz$" allowedip
Order Allow,Deny
Allow from env=allowedip
</FilesMatch>

…or…

SetEnvIf X-FORWARDED-FOR "^xxx\.xxx\.xxx\.xxx$" allowedip
SetEnvIf X-FORWARDED-FOR "^yyy\.yyy\.yyy\.yyy$" allowedip
SetEnvIf X-FORWARDED-FOR "^zzz\.zzz\.zzz\.zzz$" allowedip

<FilesMatch "^(wp-login\.php)">
Order Allow,Deny
Allow from env=allowedip
</FilesMatch>

Oops forgot to escape the dots (.). Corrected above.

Also you can combine the all of the code if needed or if you want the code all in one place.

SetEnvIf X-FORWARDED-FOR "^xxx\.xxx\.xxx\.xxx$" allowedip
SetEnvIf X-FORWARDED-FOR "^yyy\.yyy\.yyy\.yyy$" allowedip
SetEnvIf X-FORWARDED-FOR "^zzz\.zzz\.zzz\.zzz$" allowedip

<FilesMatch "^(wp-login\.php)">
Order Allow,Deny
Allow from env=allowedip
# Add your website domain name
Allow from example.com
# Add your website/Server IP Address
Allow from xxx.xxx.xxx.xxx
</FilesMatch>

Thanks for the extra information ??

Would you mind elaborating on why you use
“^xxx\.xxx\.xxx\.xxx$”
rather than simply
xxx.xxx.xxx.xxx
when the latter works okay. For example, what is the purpose/function of the extra characters ^ and $ wrapped around the IP?

Also, what would be the syntax for whitelisting a dynamic IP where, say, you only wanted to specify 2 octets? Would it be something like
“^xxx\.xxx\.*\.*”

Gillian,
The code should be as precise as possible so it will match only the correct IPs. The backslashes indicate the next character is not to be treated as a special character (a dot is a wildcard character here). The caret means “starts with”, and the dollar sign means “ends with”. Regular expressions can be quite complicated, so you have to be very careful about how they match.

Thanks for the clarification, Joy ??

The ^ and $ Regular Expressions code characters are explained in the link below.
https://www.regular-expressions.info/anchors.html

The dot/period character in Regular Expressions code means: Matches any character, except for line breaks if dotall is false. If you escape the dot \. it means match a literal dot/period.

When using SetEnvIf the Regex is bit different. Yes, you can use .* which means match anything, but personally I would use this Regex code instead:

[0-9]{1,3} Matches any single character in the range 0-9. Matches 1 to 3 of the preceeding token.

SetEnvIf X-FORWARDED-FOR "^100\.49\.[0-9]{1,3}\.[0-9]{1,3}$" allowedip

When using an IP Address with the Allow Directive it is accepted/ok just to do this for IPv4 IP addresses:
Allow from xxx.xxx.

For IPv6 IP addresses:
Allow from 2001:db8::a00:20ff:fea7:ccea

Many thanks again for the extra information, AITpro.

One final question if I may. In your example
SetEnvIf X-FORWARDED-FOR "^100\.49\.[0-9]{3}\.[0-9]{3}$" allowedip
if a person with an IP of, say, 100.49.1.1 wanted access, would the [0-9]{3} code assume leading zeroes as required?

I have learned a lot from this thread ??

Oops nope. My mistake is corrected above. You would need to use this code instead. Match 1 to 3 tokens/characters.

100\.49\.[0-9]{1,3}\.[0-9]{1,3}

Or another method is this: Match 1 or more tokens/characters.
100\.49\.[0-9]{1,}\.[0-9]{1,}

Ah, I see. Thanks for taking the time to educate me ??

I have install Woocommerce and when I active whitelist for wp-admin folder access (.htaccess in /wp-admin folder), my clients can′t logout in front-end by 403 error

My code:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Password Protected Area”
AuthType Basic
#order deny,allow
#deny from all
# whitelist home IP address
allow from XXX.my.work.ip
# whitelist work IP address
#allow from 69.147.114.210
#allow from 199.239.136.200
# IP while in Kentucky; delete when back
#allow from 128.163.2.27

What is the problem? Thanks

Most likely their IP addresses are different so probably you should not use this code. For folks who allow other folks to log into their sites you would not want to use IP based login/access to the site.