Previously, our staging site has been locked down to local access only. We hired a third party developer to assist with resolving a theme via our ‘local staging server’ remotely. In order to grant them access, we made the staging server resolve externally with an A record in the DNS to the staging subdomain.
From my understanding this is not a best practice and I thought we needed to secure it further. Do I restrict access to the entire subdomain by IP or a Password, or is there a better method?
1 Answer
Whether or not you lock down a staging site really depends on how much you mind the public accidentally seeing a site that’s a “work in progress”. I’d usually consider it more of a branding decision than a security decision.
(This of course wouldn’t apply if you’re in the middle of developing a secure application that might be buggy, but WordPress theming – especially once it gets to the staging site – is unlikely to cause a security risk).
One thing I would recommend doing is in Settings -> Reading, ticking the option that discourages search engines from crawling the site. The last thing you want is a site that’s not complete showing up in search results.
Other than that, the only way for someone to find the site is to know the URL. For a temporary staging site, that’s usually security enough.
If you’re concerned, some quick ways to limit it further would be:
-
Install a maintenance plugin (there’s many available in the plugin directory). These work by locking down your site and showing a maintenance page to all but logged in users. So you can just create users in WP for those who you wish to give access to.
-
Add IP blocking or password protection to .htaccess. This is also fairly easy to do, this StackOverfow answer deals with IP allowing and this answer walks through password protection.
-
As an even quicker alternative to the first option, add
if( !is_user_logged_in() ){ die(); }at the top ofheader.phpin the theme. Then any unexpected visitor just sees a blank page. (Thanks to @shahar in the comments)
If you discourage search engine crawling through that option on the Reading page, make yourself a note somewhere to turn it back on when you go live. There’s almost nothing worse than forgetting that!
