Monthly Archives: March 2011

Keep Students from Logging in to your Class Website from Home

Creative Commons License photo credit: rightee

Blogging in the classroom is great, but there are times when you don’t want your students working from home. For example, you want to see what your students can do independently – without the help of an older brother or sister. Sometimes that means having your students do their work in class.

If you do everything on paper, then you can just make sure the assignment stays in class. But, if you ask students to publish their work online, then you need a way to keep students from finishing their work from home.

We run several different websites and networks of student blogs for different teachers using a single (multisite) installation of WordPress. Even though it looks like all of our sites are independent from each other (heck, some of them even use different domain names) – underneath the hood, they’re all using a common set of files and code.

When you log in to the administration back end of a WordPress site, you’re in a directory called wp-admin. This is where you can see your dashboard, edit your posts, moderate your comments, etc. Every computer in the world has a unique address. (If you want to know what your IP address is, you can visit a site like wp-adress.com)

It’s easy to figure out the “IP address” of your school computers and then to set up your class website to only allow visitors from these machines to login.

Although, there are lots of ways to restrict access to this “wp-admin” back end of your self hosted WordPress website, if you’re not careful, you might accidentally lock out students and teachers from other sites. (And then you get a flood of e-mails and comments from students, teachers, and parents, letting you know that they couldn’t access their website from home.)

Three ways to lock down your class website

1. Using an .htaccess file

  • If you’re only running one class website, then one of the best ways is to use an .htaccess file to restrict access to your website.
  • This is also a great way to protect your website from hackers because it keeps computers from the wrong IP address from even getting to the important files in your wp–admin directory.
  • Unfortunately, if you use’re running a multisite WordPress blog, then all of your websites will get locked down.

2. Using the WP Block Admin plugijn

  • WP Block Admin is a great WordPress plug-in that lets you keep students from accessing the back end of your WordPress blog based on what user account you give them. We use this on a number of our websites.
  • By default, this plug-in redirects subscribers, contributors, and authors to the front of your class website. Editors and administrators (i.e. teachers) are able to login and see the back administrative side of the website.
  • Unfortunately, this plug-in can’t figure out if you’re at school or at home – it only restricts access based on your user level. Students will still be able to work from home

3. Using the Private! WordPress Access Control Manager plug-in

  • Private! WordPress Access Control Manager is a comprehensive security plug-in they give you several different ways to lock down your class website. You can use it to create a completely private website, restrict certain parts of the website, or allow complete access to your site.
  • It also lets you lock down the administrative backend (/wp-admin) of your website to a single IP address. This means that you can lock your class website so that students can’t edit their posts from home.
  • Unfortunately, it seems that if you lock down one website so that it can only be accessed at school, then all of your websites are affected. (We learned that the hard way.)
  • Also, there was no way to create a custom message telling students that they cannot access the block from home.
  • Finally, the Private! WordPress access control manager won’t even allow you to login from home… which means that teachers will also be locked out of their websites. (if you accidentally lock yourself out of your class blog, you have to delete a specific file in order to let yourself back in.)

We couldn’t find an easy way to block access to the site administration (wp-admin) of our multisite WordPress blog… so we made a plug-in.

Block wp-Admin by IP: Block access to the site administration (wp-admin) of your multisite WordPress installation: [download id=”1″]

This is one of our first plug-in, so please be patient. Eventually,we will be uploading it to the WordPress plug-in directory to make it easier for classroom teachers to install it on their class websites.

For the time being, you can download the plug-in here: [download id=”1″]

Restrict access so that only computers from a specific IP address can access the administrative backend of your blog (/wp-admin). Everyone will still be able to log into your site, however only users at the correct IP address will be able to visit site administration pages.

  • Administrators, Network (Super) Administrators, and other users who are able to “manage_options” will always be able to access the back end of your site. (This means that teachers will be able to access their class website from home and school.)
  • The first time you activate this plug-in, it will detect your current IP address and automatically restrict access to your administrative panels.
  • Visit the settings page (Settings > Block wp-admin by IP) to change the IP address or to create a custom error message.

Note: this plug-in is only designed to prevent users from adding/editing postsor accessing the administrative end of a WordPress website.

  • It uses the  is_admin function to to check to see if the dashboard or the administrative panels are being requested.and then check your IP address to see if you are allowed access.
  • It is not intended to be a security plug-in. There are other ways to lock down/harden your WordPress installation.
  • You will still be able to access the login page (wp_login). This means that users can still login to access the front end of your website and leave comments. They simply won’t be able to access the backend.