If you are a wordpress blog user one of the first are where you have to focus is on WordPress Security. WordPress is one of the most popular cms of the world, but it is also the most attacked one. That’s why today we will show you how to block URL access to wp-admin and wp-login.php to all except for your IP address if you are using Nginx web server.
Requirements
- Nginx running on your server. This tutorial is only for Nginx, Apache is not covered in this guide.
- WordPress already configured and working on Nginx. If you don’t know how to do this, you can follow this tutorial: WordPress Configuration for Nginx
How can I Block URL Access to wp-admin and wp-login.php using Nginx web server?
By setting this kind of IP based protection, your WordPress website will no longer be vulnerable to brute force attacks, that are increasing every day for the most used CMS on earth. This will help you to avoid hacking attempts against your WP administrative zone, the attacker will not be able to even load the wp-admin or wp-login.php files because he is not coming from an allowed / whitelisted IP.
Nginx: Block Access to WordPress Administrative Area
Edit your nginx vhost file, or your nginx.conf, this depends on the way you configured your Nginx service.
nano -w /etc/nginx/nginx.conf
Use the following code to deny all nginx config directives inside the server blocks:
location ~ ^/(wp-admin|wp-login\.php) {
allow 111.111.111.111;
deny all;
}
If you have WordPress installed inside /blog/ sub-folder, then you should use this instead:
location ~ ^/blog/(wp-admin|wp-login\.php) {
allow 111.111.111.111;
deny all;
}
Replace 111.111.111.111 with your real static IP address.
Test your wp-admin and wp-login.php area
Browse http://www.yoursite.com/wp-admin/ or http://www.yoursite.com/wp-login.php
You can also test this using CURL from your Linux shell. See the examples above.
Run curl from your allowed host and you’ll get a 200 OK state:
[webtech@localhost ~]$ curl -I https://nixcp.com/wp-login.php HTTP/1.1 200 OK Server: nginx Date: Wed, 15 Feb 2017 14:50:16 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive Vary: Accept-Encoding Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Set-Cookie: wordpress_test_cookie=WP+Cookie+check; path=/; secure X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=15724800; includeSubdomains; preload X-Frame-Options: DENY X-Content-Type-Options: nosniff Access-Control-Allow-Origin: https://nixcp-tecnomagazine.netdna-ssl.com https://ajax.googleapis.com https://traffic.tmzimg.com https://mc.yandex.ru X-Xss-Protection: 1; mode=block Content-Security-Policy: default-src https: data: 'unsafe-inline' 'unsafe-eval'
Run curl from outside and you’ll be rejected:
[[email protected]:~]curl -I https://nixcp.com/wp-login.php HTTP/1.1 403 Forbidden Server: nginx Date: Wed, 15 Feb 2017 14:51:22 GMT Content-Type: text/html Content-Length: 162 Connection: keep-alive X-Xss-Protection: 1; mode=block Content-Security-Policy: default-src https: data: 'unsafe-inline' 'unsafe-eval'
Conclusion
As you see, protecting wp-admin and wp-login.php access is pretty easy if you are using Nginx. You just need to have a static fixed IP, or you can also purchase a VPN connection to have your own static IP too. Both methods should work.
By setting a Nginx Block URL Access to wp-admin and wp-login.php you are reducing the risks of attacks against your WP administrative area, no more brute force attacks from unwanted visitors.
I tried your code out and it didn’t work. What it did do, which is something I’ve been trying to solve is it triggers a file download of the RAW PHP code of the index file in wp-admin
Place it under the:
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
}
Thankyou sir, wp-admin now is only accessable with some IP Address but sadly i can still access wp-login .php with any IP even the view is break
do you have any solution for this, please let me know