Limit access to your sNews CMS login page by IP address

Limit access to your sNews CMS login page by IP address

Here's a trick I use to provide a little extra security hardening for my sNews installations. You can use this to limit all login attempts from your sNews login form to only one (or more) IP addresses, so if you're like me and you access your sNews admin panel from only a few static IPs, give this a try to shut down any access attempts on your login page from outside your specified IPs.

This is not a fool proof method of locking down your form! This is simply an extra layer to deny login attempts at your sNews login page.

This install is extremely simple and painless, you just need to know your IP(s), and as we're changing the code in the source, you need not fear getting "locked out" if your IP changes or you make a mistake, you can always edit the code via FTP, this is simply to prevent web logins from unwanted locations.

Step 1) As always, BACK-UP your snews.php file and work off a copy. Now find the function login and paste the following highlighted code in;

function login() {
    $valid_ips = array("", "");
    if (!in_array($_SERVER['REMOTE_ADDR'],$valid_ips)) {
        echo "<p>I'm sorry, you must login from an approved network location</p>";
    if (!_ADMIN) {
        echo '<div class="adminpanel">

That's it, you're done. Oh, and yeah, change the IPs. The IPs are stored in the valid_ips array, so simply add as many as you like, separated by commas, surrounded by quotes.



You might like


Nice one, I however made mine a bit different back when I wanted this feature, I used the .htaccess file using these lines:

RewriteCond %{REMOTE_ADDR} !^127\.0\.0\.0*$
RewriteRule ^login[^/]*$ - [F] used as an example, and ofcourse you could add an array like you did in your mod.

My way will then give what ever error page you used
where yours is showing the text specified, however, I like your approach too.


Yeah, using .htaccess is easier and cleaner, the main reason I hard-coded it into the snews.php is because I've got the same logic inside the part that actually logs you in,


if(isset($_POST['Loginform']) && !_ADMIN) {
$valid_ips = array("", "");
if(!in_array($_SERVER['REMOTE_ADDR'],$valid_ips)) {
// deny login attempt
} else {
//allow login, do all the login stuff

also, another trick I've done is to rename the login form elements with an md5 hash.

Why can't I seem to be able to add wildcards to this function?


function login() {
	$valid_ips = array("127.0.*", "192.0.*");
		if (!in_array($_SERVER['REMOTE_ADDR'],$valid_ips)) {
		echo "not authorized from this IP address";

Oops, sorry MethOD, I missed this comment.

You can't use wildcards because the in_array function doesn't support it. You'd have to use a regular expression and a function like preg_match.

Comments are closed. No new comments allowed.

Copyleft 2002 - 2017 Matt Jones
Hand crafted with HTML5 & CSS3
↑ Back to top