There are two situations where you might want to think about classroom blog security and restrict access to your educational website to just a few specific computers.
- First, you might want to restrict the entire blog so it can only be accessed by people using school computers.
- Second, you might want to restrict the login pages of your blog, so that students can only edit or modify their work using school computers. (This also helps prevents your site from getting hacked by observant students who have figured out your password.)
If you are pretty comfortable around computers and run a self-hosted blog (or have access to your website’s servers), then you should be able to lock down your class website to a few locations (IP addresses).
Classroom Blog Security Issue: Why would you want to prevent your students from logging in at home?
I usually don’t allow my students to take their English work out of the classroom; I’m tired of dealing with lost homework. Besides, you can never be sure how much help a student receives at home.
Over the years, I’ve developed a folder system where all of our work stays in the folder. It’s great.
- First, students always come prepared to class (because their notes and drafts never leave the room).
- Second, the students have a portfolio documenting their learning over time. It’s great for metacognition because students can flip back through previous assignments in an attempt to prevent the same mistakes from happening again.
- Finally, I know exactly what a student is capable of because I can see all of their prewriting and drafts leading up to the published version.
However, a blog potentially ruins this keep-it-in-the-classroom policy because students can log in to their user accounts from home. The beauty of WordPress and other blogging platforms is that it can let you blog from anywhere in the world.
Also, some older students might be flexing their digital literacy (or vandalism) muscles. The login page for any blog powered by WordPress can usually be found by adding /wp-admin at the end of the website address. By locking down the wp-admin folder to a few specific IP addresses, you can greatly limit access to the administration back-end of your class blog.
How to lock down your classroom blog’s administration / login folder.
If you have a self-hosted WordPress blog, the following trick will prevent students from logging in (or hacking your website) at home. Note: You need to have access to the .htaccess file on your website. Our web host, BlueHost, provides access to this file, however, apparently, not all web hosts do.
- Figure out the IP address of the computer that you want to use to access your blog. An IP address is your internet address online. There are various sites that will tell you your current IP address.
- Use a text editor (i.e. notepad) to create a file named .htaccess and cut and paste the following into the file:
AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Example Access Control" AuthType Basic
order deny,allow deny from all allow from 123.456.789.123 allow from 12.345.678.123
- Replace 123.456.789.123 and 12.345.678 with your real IP address. Hint: If your Internet Service Provider gives you a range of IP addresses (For example 123.456.789.000 to 123.456.789.999), just drop the last octet number to allow a range. (For example, allow from 123.456.789)
- Upload your .htaccess file to your blog’s wp-admin folder. Now the only people who can access any file in the wp-admin folder must be using a computer with an IP address on your safe list (white list).
- Note: If you want to use the .htaccess file to limit access to your entire blog from specific computers, then you’ll need to copy and paste the above code into the existing .htaccess file on your website’s public folder (or wherever your WordPress blog files can be found). You must add the code into the existing .htaccess file instead of overwriting the file because WordPress has some important information in there already.
If the .htaccess file is modified correctly, whenever you try to login to your blog from an unauthorized computer, you should receive a 403 error that looks like this: