Nginx Tutorial: Block URL Access to wp-admin and wp-login.php to all except my IP address

If you are a wordpress blog user one of the first are where you have to focus is on WordPress Security. WordPress is one of the most popular cms of the world, but it is also the most attacked one. That’s why today we will show you how to block URL access to wp-admin and wp-login.php to all except for your IP address if you are using Nginx web server.

Requirements

  • Nginx running on your server. This tutorial is only for Nginx, Apache is not covered in this guide.
  • WordPress already configured and working on Nginx. If you don’t know how to do this, you can follow this tutorial: WordPress Configuration for Nginx

How can I Block URL Access to wp-admin and wp-login.php using Nginx web server?

By setting this kind of IP based protection, your WordPress website will no longer be vulnerable to brute force attacks, that are increasing every day for the most used CMS on earth. This will help you to avoid hacking attempts against your WP administrative zone, the attacker will not be able to even load the wp-admin or wp-login.php files because he is not coming from an allowed / whitelisted IP.

Nginx: Block Access to WordPress Administrative Area

Edit your nginx vhost file, or your nginx.conf, this depends on the way you configured your Nginx service.

nano -w /etc/nginx/nginx.conf

Use the following code to deny all nginx config directives inside the server blocks:

  location ~ ^/(wp-admin|wp-login\.php) {
                allow 111.111.111.111;
                deny all;
  }

If you have WordPress installed inside /blog/ sub-folder, then you should use this instead:

location ~ ^/blog/(wp-admin|wp-login\.php) {
                allow 111.111.111.111;
                deny all;
}

Replace 111.111.111.111 with your real static IP address.

Test your wp-admin and wp-login.php area

Browse http://www.yoursite.com/wp-admin/ or http://www.yoursite.com/wp-login.php

You can also test this using CURL from your Linux shell. See the examples above.

Run curl from your allowed host and you’ll get a 200 OK state:

[webtech@localhost ~]$ curl -I https://nixcp.com/wp-login.php
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 15 Feb 2017 14:50:16 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Set-Cookie: wordpress_test_cookie=WP+Cookie+check; path=/; secure
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=15724800; includeSubdomains; preload
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Access-Control-Allow-Origin: https://nixcp-tecnomagazine.netdna-ssl.com https://ajax.googleapis.com https://traffic.tmzimg.com https://mc.yandex.ru
X-Xss-Protection: 1; mode=block
Content-Security-Policy: default-src https: data: 'unsafe-inline' 'unsafe-eval'

Run curl from outside and you’ll be rejected:

[[email protected]:~]curl -I https://nixcp.com/wp-login.php
HTTP/1.1 403 Forbidden
Server: nginx
Date: Wed, 15 Feb 2017 14:51:22 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
X-Xss-Protection: 1; mode=block
Content-Security-Policy: default-src https: data: 'unsafe-inline' 'unsafe-eval'

Conclusion

As you see, protecting wp-admin and wp-login.php access is pretty easy if you are using Nginx. You just need to have a static fixed IP, or you can also purchase a VPN connection to have your own static IP too. Both methods should work.

By setting a Nginx Block URL Access to wp-admin and wp-login.php you are reducing the risks of attacks against your WP administrative area, no more brute force attacks from unwanted visitors.

About the Author: Martin Keler

3 Comments

  1. I tried your code out and it didn’t work. What it did do, which is something I’ve been trying to solve is it triggers a file download of the RAW PHP code of the index file in wp-admin

  2. Place it under the:

    location ~ \.php$ {
    include snippets/fastcgi-php.conf;
    fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
    }

    1. Thankyou sir, wp-admin now is only accessable with some IP Address but sadly i can still access wp-login .php with any IP even the view is break

      do you have any solution for this, please let me know

Leave a Reply

Your email address will not be published. Required fields are marked *