ScaleScaleScaleScale

Tips / Nginx


Secure your WordPress Admin allowing access to only one IP Address on Nginx

Wordpress

If you are a WordPress editor/admin and you are worried about it’s security, there is one wonderful thing you can do to protect your WordPress admin page. You can set a blocking rule to allow access to WordPress admin only for your public IP, and deny the rest of the people that try to load /wp-admin or /wp-login.php urls.  This type of security will protect you against most brute force attacks to your WordPress administration area.

The easiest way to block WordPress Admin URLs  www.yoursite.com/wp-login.php and www.yoursite.com/blog/wp-admin/ is using an allow/deny rule on Nginx configuration file. Let’s begin.

Edit nginx.conf file

nano -w /etc/nginx/nginx.conf

Add the following code to your Nginx configuration (inside the server block):

location ~ ^/(wp-admin|wp-login.php) {
allow xx.xx.xx.xx;
deny all;
}

However, if your blog located in /blog/ path, better try this:

location ~ ^/blog/(wp-admin|wp-login.php) {
allow xx.xx.xx.xx;
deny all;
}

Replace xx.xx.xx.xx with your actual static IP address.

Reload Nginx to apply the changes:

service nginx reload

Testing the WordPress protection

Run this command from a shell outside your network:

curl -I http://www.yoursite.com/wp-admin/

If you get 403 response from outside your allowed network (the IP you allowed before at nginx config), then it’s working. Other way to test it is just to load the URL http://www.yoursite.com/wp-admin/ from a Browser on a network outside your allowed IP.

Popular search terms:

  • allow ip address nginx
  • https nginx wordpress admin only
  • https://www scalescale com/tips/nginx/wordpress-admin-allowing-access-only-one-ip-address-nginx
  • nginx allow site only from local network wp-admin
profile

Esteban Borges

Linux Geek, Webperf Addict, Nginx Fan. CTO @Infranetworking

  • smith

    Hi,

    Not a good idea to block wp-admin. Plugins that do ajax make use of a file under wp-admin. Yes, even those that operate on the frontend.

  • @smith,

    Then add your server IP address to whitelist.

  • I add my own ip to the allow directive and deny the rest of the world, but when I visit wp-admin or wp-login.php page of my site using the allowed ip, it show a 403 forbidden page.

  • kamote

    still having access to wp-login.php