missing images and css

In other words, the site allowed you to see the HTML but not the supporting files.

This is a tricky (and interesting!) question because each module is an island. Nothing in mod_rewrite can overrule the mod_authwhatsit directives (Allow/Deny), and vice versa. If any module at any point has issued a 403, the request will be denied, no matter what happens in other modules.

The complication is that the pages, unlike the supporting files, don't really exist (the "index.php" and !-f business that's common to WP and several other well-known CMS). So somehow the "Deny" directive doesn't kick in. As an experiment, try requesting example.com/index.php-- as opposed to plain "example.com" or whatever you normally use-- explicitly by name. Do you then get locked out?

Another possible explanation is that the config file-- not your individual htaccess-- has a directive something like this:

<Files "index.php">
Order Allow,Deny
Allow from all
</Files>

This is a possibility if you're on shared hosting with a company that supports a lot of WP sites; it's to prevent infinite loops if there's a WP-internal 403.

What happens when you do get a 403 as intended? That is, what do you see on the browser screen?

Do you have access to your site's error logs? Not the regular access.log but error.log. If so, have a closer look and see what comes up. Error logs don't always show 403s-- it depends on the server's log level-- but mine do. If you don't know your current (non-home) IP look at the appropriate time frame. I gather this is a development site, so error logs shouldn't be too fat.

Thanks very much for your thorough reply.

It's my VPS, but my server knowledge is limited (great chance to learn something new). By searching further, I managed to find a solution; it at least behaves like that after some basic testing.

I put my deny,allow to the bottom, and I entered RewriteEngine Off prior that. That made the site return 403 except when my IP address was allowed.

Thanks

This works for the homepage only. Any other page that requires RewriteEngine will produce 404. :/

Whew. I honestly couldn't figure out why or how your posted fix would work :(

Try this, just because I'm curious. Delete the "RewriteEngine off" line (no CMS will work without use of mod_rewrite) and instead add this package to your existing htaccess:

<Files "index.php">
Order Deny,Allow
Deny from all
Allow from { your-IP-here }
</Files>

A Files envelope executes after everything else, so it doesn't matter where it's located. Just put it where you can find it again.

I'd also still like to know what you see-- physically-- when you get a 403 for the front page. Do you have a custom 403 page (one that really exists), is the page built by WP, or is there a server default?

That was it!

With my IP allowed, all was good.

When I changed the IP in .htaccess, I got the default 403 on homepage and an inner page as well.

Thanks!

Plus, I hope this helps other folks in the same situation as looking on the net did not bring the final resolution that easy. I believe I saw something like this (for index.php), but cannot confirm it 100% at this moment.