How to Block All External IP Traffic to Wordpress Website but Allow my own IP Address?

Server OS: Ubuntu 22.04

Current Version:  2.3
Build:  5
Current Commit:  31f2450fdc40e606bdb084ed6d07cb14d7ee67ba
Latest Version:  2.3
Latest Build:  5
Latest Commit:  31f2450fdc40e606bdb084ed6d07cb14d7ee67ba

Hi there, I’m looking for a way to completely block external traffic to an instance of a WordPress website on my server. My goal is to re-deploy and fix a WordPress site that has been subject to the recent Remote Code Execution (RCE) vulnerability found in the Bricks Builder theme. While it was previously thought that simply doing a restoration of a site is enough, there is a persistent backdoor if you do not restore a backup to a brand new instance of WordPress.

If you’re unaware of the security vulnerability, how it works, and how to fix it, there’s a good video on YouTube called “The patch #2 - attacking the website and how to avoid similar attacks in the future.” by Emil Trägårdh (Channel is @etragardh) — the forum isn’t allowing me to link out to YouTube for some reason.

Essentially, I need to be able to create a new website on CyberPanel, then restrict access for it to only my IP address. I have tried adjusting the Rewrite Rules, to the each of the following (each did not block external traffic).

Order Deny,Allow
Deny from all


RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^your\.ip\.address\.here$
RewriteRule .* - [F]

Lastly, I have also tried going into Litespeed directly and changing the following…

Litespeed > Virtual Hosts > {my-website-domain} > Security> Access Control

I changed the allow/deny list as follows…

Allowed List: MY_IP_ADDRESS
Denied List: ALL

This partially worked, allowing only myself to view the domain root, but no additional pages and directories.

Any help or guidance is greatly appreciated.



Hi there,

Does anybody have any idea about this?