Locking Down Your EduBlog to Prevent Unauthorized Access

There are two situations where you might want to restrict access to your educational blog to just a few specific computers.

  • First, you might want to restrict the entire blog so it can only be accessed by people using school computers.
  • Second, you might want to restrict the login pages of your blog, so that students can only edit or modify their work using school computers. (This also helps prevents your site from getting hacked by observant students who have figured out your password.)

If you are pretty comfortable around computers and run a self-hosted blog (or have access to your website’s servers), then you should be able to lock down your class website to a few locations (IP addresses).

Why would you want to prevent your students from logging in at home?

I usually don’t allow my students to take their English work out of the classroom; I’m tired of dealing with lost homework. Besides, you can never be sure how much help a student receives at home.

Over the years, I’ve developed a folder system where all of our work stays in the folder. It’s great. First, students always come prepared to class (because their notes and drafts never leave the room). Secondly, the students have a portfolio documenting their learning over time. It’s great for metacognition because students can flip back through previous assignments in an attempt to prevent the same mistakes from happening again. Finally, I know exactly what a student is capable of because I can see all of their prewriting and drafts leading up to the published version.

However, a blog potentially ruins this keep-it-in-the-classroom policy because students can log in to their user accounts from home. The beauty of WordPress and other blogging platforms is that it can you can blog from anywhere in the world.

Also, some older students might be flexing their computer literacy (or vandalism) muscles. The login page for any blog powered by WordPress can usually be found by adding /wp-admin at the end of the website address. By locking down the wp-admin folder to a few specific IP addresses, you can greatly limit access to the administration back-end of your class blog.

How to lock down your (educational) blog’s administration / login folder.

If you have a self-hosted WordPress blog, the following trick will prevent students from logging in (or hacking your website) at home. Note: You need to have access to the .htaccess file on your website. Our web host, BlueHost, provides access to this file, however, apparently not all web hosts do.

  1. Figure out the IP address of the computer that you want to use to access your blog. An IP address is your internet address online. There are various sites that will tell you your current IP address, including this one.
  2. Use a text editor (i.e. notepad) to create a file named .htaccess and cut and paste the following into the file:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Example Access Control"
AuthType Basic
order deny,allow
deny from all
allow from 123.456.789.123
allow from 12.345.678.123
  1. Replace 123.456.789.123 and 12.345.678 with your real IP address. Hint: If your Internet Service Provider gives you a range of IP addresses (For example 123.456.789.000 to 123.456.789.999), just drop the last octet number to allow a range. (For example, allow from 123.456.789)
  2. Upload your .htaccess file to your blog’s wp-admin folder. Now the only people who can access any file in the wp-admin folder must be using a computer with an IP address on your safe list (white list).Note: If you want to use the .htaccess file to limit access to your entire blog from specific computers, then you’ll need to copy and paste the above code into the existing .htaccess file on your website’s public folder (or wherever your WordPress blog files can be found). You must add the code into the existing .htaccess file instead of overwriting the file because WordPress has some important information in there already.

If the .htaccess file is modified correctly, whenever you try to login to your blog from an unauthorized computer, you should receive a 403 error that looks like this:

Question: Have you ever had a student hack into your class blog before?

4 thoughts on “Locking Down Your EduBlog to Prevent Unauthorized Access”

  1. Of course, this could back fire on you. For example, I’ve locked down the admin section of this teacher blog so that it can only be accessed from my home internet account.

    I wanted to leave a quick post while I was at school… but, ofcourse, I couldn’t log in.

    Still, it’s nice to know the security works. Just don’t lock yourself out by accident like I just did.

  2. I just tried to leave the previous comment without leaving my email. (Lazy, I know.) This blog is currently set up so that you have to leave your name and email address if you want to leave a comment… otherwise, you get a reminder asking you to fill in the missing information.

    Except, I’ve blocked the admin folder from the world (except for my home IP address.) Apparently, that also means that the error message doesn’t work either.

    How important is that error message? Probably not very important. Nice to know that you can completely block out the world from accessing your site with this trick.

    But using an .htaccess file to block out the world might have some side effects… like preventing the world from seeing the comment error message.

Leave a Reply

Your email address will not be published. Required fields are marked *