WP Engine Products

WordPress Hosting

Boost performance while managing less

WooCommerce Hosting

Build faster and sell more with WooCommerce

Agency and Client Management

Automate client billing, reporting, & more

Headless WordPress

Build, deploy, and manage headless sites

View More Products

Solutions

Small Businesses

Enterprises

Agencies

eCommerce

View More Solutions

Website Tools

Smart Plugin Manager

Website Tester

Website Monitoring

WordPress Themes and Tools

Local WordPress Development

Featured Plugins

Advanced Custom Fields

Build rich, custom content editing experiences

WP Migrate

Migrate WordPress sites with confidence

WP Offload Media

Offload media assets & serve them lightning fast

WP Offload SES

Improve email send reliability with Amazon SES

View More Recommended Plugins

WordPress Resources

WP Engine Resources

Articles and videos for help with WordPress

WP Engine Help Docs

Guides for site setup & troubleshooting

Free Website Migration

Automated migration plugin & support

Find a WordPress Agency

Need help? Search our agency directory

Stay Connected

WP Engine Blog

Builder Community

Headless Developer Community

Torque Magazine

Velocitize Magazine

Thought Leadership

Velocitize Talks

Erik Posthuma of Aleph-labs on Web3, Cryptocurrency, & More

Podcast

Press This, the WordPress Community Podcast

Study

The World’s First Study of the WordPress Economy

Why WP Engine?

Our Platform Technology

Managed WordPress Hosting

Fast WordPress

Secure WordPress

24/7 WordPress Support

About Us

WP Engine Reviews

How You Win with WP Engine

Build faster, protect your brand, and grow your business with the #1 WordPress platform to power remarkable online experiences.

Learn More

Customer Spotlight

Peak Performance With Headless WordPress

Android Authority increases speed 6x by adopting a headless architecture with a WordPress back-end.

All Case Studies

Contact sales

Call Us

1-877-973-6446 to talk to a sales expert

Request a Quote

Submit a request for a personalized plan recommendation

Let’s Chat

Customer Support

Support Articles

Billing Help

Password Help

Log In for Support
Easiest Migration Ever!

Need Help Choosing a Plan?

We offer solutions for businesses of all sizes. For questions about our plans and products, contact our team of experts. Get in touch

Support Center
Setup A Site
Account & Features
Platform Information
WordPress Help
Troubleshoot
Browse All

Web Rules Engine

Last updated on October 11th, 2021

The Web Rules Engine is a User Portal-based service that enables you to self-serve site access rules as an alternative to .htaccess rules. The service currently supports management of the following rule types: IP-based Allow/Deny rules and response headers.

Table of Contents
1. Overview
1.1. Access Web Rules
2. Add Access Rule
2.1. Insert Relative Access Rule
2.2. Edit Access Rule
2.3. Delete Access Rule
2.4. Access Rule Order
2.5. Access Rule Conditions
2.6. Access Rule Examples
3. Header Rules
3.1. Add Header Rule
3.2. Header Rule Examples
3.3. Unsupported Headers

Overview

The Web Rules Engine enables you to self-manage certain site traffic behaviors from the User Portal, such as:

  • Disallowing IP/Range access to protect against malicious attacks and other negative site behavior
  • Allowing IP/Range access for known good actors
  • Preventing direct access to private files
  • Modify cache-control headers and security headers

For those who previously leveraged .htaccess file rules to self-manage and control these behaviors, the Web Rules service can now be used instead via the User Portal. 

Access Web Rules

To manage access and header rules for any environment:

  1. Log in to the User Portal
  2. Select the environment name
  3. Click Web Rules in the menu

Web Rules functionality is enabled by default on all environments. If you do not see the “Web Rules” link in your User Portal, please reach out to our Support team.

NOTE: In some cases there may temporarily be a third Global Setting available on the page above that reads “Enable .htaccess support”. This option is only available in specific cases, you can learn more about it here.

Add Access Rule

To add a new web rule:

  1. Open the Web Rules engine
  2. Select Access Rules
  3. Click Add Rule
  4. Enter the rule
  5. Click Add Rule to validate and save the new rule
  6. Once your web rules have been validated and applied, they will populate in the rule table

Insert Relative Access Rule

Users with existing web rules have additional options for adding new rules in relation to existing rules. This can be useful when creating rules whose order is significant.

  1. Open the Web Rules page
  2. Locate an existing rule
  3. Click the 3 dot menu icon to the right
  4. Select Insert rule above or Insert rule below

Edit Access Rule

To edit an existing access rule, for example manually changing the order or IP:

  1. Open the Web Rules page
  2. Locate the rule you wish to edit
  3. Click the 3 dot menu icon to the right
  4. Select Edit Rule
  5. Make the necessary changes, then click Save and apply to revalidate and apply the update

Delete Access Rule

To delete an existing web rule:

  1. Open the Web Rules page
  2. Locate the rule you wish to edit
  3. Click the 3 dot menu icon to the right
  4. Select Delete Rule

Access Rule Order

Web rules are read from top to bottom and the web Rule order allows you to manually organize the rules. The lowest order number is at the top of the list (read first) and the highest order number is at the bottom of the list (read last). Rules must have an order value that is greater than zero and should be within a reasonable range. For example, if you have two rules they should have the order 1 and 2, not 1 and 100.

The order of web rules can be critical to how they function because rules can impact each other depending on the order they are read. Rules that are read first take priority. For example, an IP range can be blocked but a specific IP address within that range can be allowed. To do this the rule allowing the specific IP address must be read before (listed above) the rule blocking the IP range.

For example, to block all IPs from accessing the wp-admin but allow a single IP access, the rules should look like the following:

When adding a rule relative to another rule the order values will be updated automatically. It’s recommended to use the relative adding method when possible, rather than manually setting each value, to ensure the order is applied as intended.

Access Rule Conditions

Conditions can be one of the following types:

  • URI
  • QUERY_ARG
  • REQUEST_METHOD
  • HEADER

Conditions can with the following operators, depending on the type:

  • Equal to ( = )
  • Not equal to ( != )
  • Regex match ( ~ )
  • Negative regex match ( !~ )

Below are the supported parameters for each conditional variable type:

TypeName [Optional]Operator(s)Value
URInull=, ~, !=, !~str
QUERY_ARGnull=, ~, !=, !~str
REQUEST_METHODnull=, !=enum
HEADERstr=, ~, !=, !~str

Access Rule Examples

Below are some examples of common rules you may use. Rules can be modified as necessary, for example switching deny and allow, or using an IP range versus a single IP.

Deny an IP address:

  • Action: Deny
  • IP: [IP address to deny]
  • Conditions: None are needed

Deny a bot by way of its user agent:

  • Action: Deny
  • IP: All
  • Conditions:
    • Type: Header
    • Name: User-Agent
    • Operator: Regex matches (~)
    • Value: [Enter the actual user agent name in this field] EX: badbot

Block xmlrpc.php for all IP addresses:

  • Action: Deny
  • IP: All
  • Conditions:
    • Type: URI
    • Operator: Regex matches (~)
    • Value: xmlrpc.php

Allow a single IP address access to wp-admin and deny all other IPs access:

First rule:

  • Order: 1
  • Action: Allow
  • IP: [IP address to allow]
  • Conditions:
    • Type: URI
    • Operator: Regex matches (~)
    • Value: wp-login

Second Rule:

  • Order: 2
  • Action: Deny
  • IP: All
  • Conditions:
    • Type: URI
    • Operator: Regex matches (~)
    • Value: wp-login

Header Rules

Using the Web Rules Engine, response headers can be set. This section can be used to add security headers or to modify cache behavior via cache control headers.

Header rules function the same as access rules; they are read in cascading order and can be set/unset by header name.

Add Header Rule

To add a header rule to Nginx:

  1. Log in to the User Portal
  2. Select the environment name
  3. Click Web Rules
  4. Select Header Rules
  5. Click Add header rule
  6. Enter the rule, then click Save

Header Rule Examples

Set a Header to Allow All Access Control for 2xx status responses:

  • Action: Set
  • Name: Access-Control-Allow-Origin
  • Value: *
  • When: Only on successes
  • Conditions: None are needed

Unset Set-Cookie header for all responses:

  • Action: Unset
  • Name: Set-Cookie
  • When: All responses
  • Conditions: None are needed

Set Cache Control for URIs in /resources:

  • Action: Set
  • Name: Cache-Control
  • Value: max-age=604800, public
  • When: Only on successes
  • Conditions:
    • Type: URI
    • Operator: Regex matches (~)
    • Value: /resources/

Set HSTS header for 2 years, include subdomains, and preload:

  • Action: Set
  • Name: Strict-Transport-Security
  • Value: max-age=63072000; includeSubDomains; preload
  • When: Only on successes
  • Conditions: None are needed

Unsupported Headers

  • “x-powered-by”,
  • “server”,
  • “date”,
  • “x-orig-cache-control”,
  • “nr-enabled”,
  • “x-cache”,
  • “x-cache-group”,
  • “x-cacheable”,
  • “X-pass-why”:

NEXT STEP: Learn how to enable WebP for image optimization

Still need help? Contact support!

We offer support 24 hours a day, 7 days a week, 365 days a year. Log in to your account to get expert one-on-one help.

Log in for one-on-one help

The best in WordPress hosting.

See why more customers prefer WP Engine over the competition.

See Our Products

See Our Plans