Tips / Nginx

Nginx Protection for WordPress Brute Force Attacks

Brute force attacks are the most common way to hack into a password protected area. Popular content management systems like WordPress are on the edge of these attacks because they are installed all around the web.

What is a brute force attack?

A brute force attack is the kind of attack where one system tries to log in to your website using different username and password combinations. They often don’t know your access information, but they try what is called a dictionary attack. That means they try different words and passwords from a database that is composed similar to a dictionary.

Sometimes, setting a strong password is enough, but sometimes it is not. Then, you are not only getting hacked, but the intruders can use your existing WordPress platform to send email or mount a phishing site, which can cause big problems. Another problem from brute force attacks lies in the use of resources. Loading a WordPress login page 1,000 times uses a lot of resources from the http server and php handler. Much like a DOS attack, it can make your web server crash easily.

Let’s see how we can protect WordPress against brute force attacks on Nginx web server.

Block using Nginx Limit Req Module

Nginx can be configured as a reverse proxy to mitigate this kind of attack. This requires two simple steps: 1) creating a req limit zone and 2), enabling the limit at the wp-login.php page. This is the one WordPress uses to welcome registered users.

1) Edit the nginx.conf main file, and create a zone. We will call this “one.” Add the following code:

limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;

10m is the size of the zone. The idea here is that a zone like this can hold up to 16,000 unique IP addresses. If you are hosting a website that’s much larger, you can increase that value to 20m, 50m or 100m. The other important variable is rate=1r/s, meaning only one request per second is allowed.

2) Enable connection rate limit using Nginx proxy configuration:

Edit your virtual host file and set it as:

location /wp-login.php {
limit_req zone=one burst=5;
proxy_redirect off;

First, the location you want to protect is defined. Then, the zone for that location is enabled. Finally, you pass the traffic over the backend server via proxy.

Allow trusted IPs to log in in to WordPress Admin Access (wp-admin/wp-login.php) – Block the rest

This rule is old, but it is still the best if you have a static IP address (one that never changes). You can get full advantage of that by restricting all access to the wp-admin directory and wp-login.php file. In this way, it only works with your allowed IP address. Any other IP address will be blocked. With this solution, you won’t face any brute force attacks at all because attackers won’t be able to reach the server to launch the attack.

Edit the nginx.conf main configuration file:

nano -w /etc/nginx/nginx.conf

Add this code to your server block configuration:

location ~ ^/(wp-admin|wp-login.php) {
deny all;

If your blog is configured at /blog/ path, try this:

location ~ ^/blog/(wp-admin|wp-login.php) {
deny all;
} is just an example of an IP. You must grab your real IP from and replace it.

Apply the changes:

service nginx reload

Testing the WordPress protection

Curl will let you know if it’s working or not. A 403 response means that it’s working if you test it from a different IP than the one you allowed. A 200 response is okay if you test if from the allowed IP.

curl -I


With these two methods, you should be able to protect yourself against WordPress brute force attacks. Try running Nginx with the Nginx Limit Req Module or try allowing only trusted IPs to log in.

Have you faced WordPress brute force attacks in the past? How did you manage to mitigate those while using Nginx?

Popular search terms:

  • https://yandex ru/clck/jsredir?from=yandex ru;search;web;;&text=&etext=1823 l8KCoFy5Xx60oPGV9HG4TYeqqYXDJnyLhayj1_TnsJs27195vxNGEbyDvc48EgD2 7f7d31041f11ae420bd77aaa45a396bd34f60ed0&uuid=&state=_BLhILn4SxNIvvL0W45KSic66uCIg23qh8iRG98qeIXme
  • nginx per virtual host limit zone
  • nginx rate limit wordpress login
  • nginx wordpress admin ip restrict

Esteban Borges

Linux Geek, Webperf Addict, Nginx Fan. CTO @Infranetworking