Why do we need Apache Access Control like
Require user <name or UID>
Not require user <name or UID>
Require group <name or GID>
Not require group <name or GID>
Require ip <network IP>
Not require ip <network IP>
Require host <hostname>
Not require host <hostname>
Require all granted
Require all denied
Require local
when we have ownership, permission and firewall.
Permission and ownership of files served by apache (any any other application) dictates what that application can and cannot read, write and execute. This is enforced on access to resources.
Firewalls control ingress and egress data between interfaces (commonly network interfaces) with defined access control lists to limit communication to trusted parties. This is enforced on transport inbound and outbound.
Apache access control is a finer grain control over resources being served. It also allows the finer grain delegation of permissions to apache and not relying on other system enforcement.
In this case I would configure the below for the /wp-admin directory in the configuration (or in .htaccess file in the directory).
<Directory /wp-admin>
Order deny,allow
Deny from all
Allow from x.x.x.x
</Directory>
I would configure apache with the following
<LIMIT POST>
AuthType Basic
AuthName "Posty Mc Post Face"
# Optional line:
AuthBasicProvider file
AuthUserFile "/usr/local/apache/passwd/passwords"
AuthGroupFile "/usr/local/apache/passwd/groups"
Require group canPostApacheGroup
</LIMIT>
Each of these examples have a firewall that is allowing traffic through to the apache and operating system permissions allowing apache to access resources on the operating system but now there is application specific configuration to limit actions a user can perform on the application.
