Nginx: Block URL Access (wp-admin/wp-login.php) To All Except One IP Address
5 March, 2021 by
Nginx: Block URL Access (wp-admin/wp-login.php) To All Except One IP Address
Administrator

am the small business owner and runs my own web-site. I have noticed increased cracking activity against by blog. What’s the best way to block WordPress URLs such as example.com/blog/wp-login.php and example.com/blog/wp-admin/ in the nginx web-server?

Attacks on WordPress based sites are not new. However, recently many news outlets reported that there’s a fairly large brute force attack happening on WordPress users on multiple hosts. The attacker is brute force attacking the WordPress administrative portals (example.com/wp-admin/), using the username “admin” and trying thousands of passwords.

Nginx block access WordPress administrative portals

Edit the file nginx.conf, enter:
# vi /etc/nginx/nginx.conf
Append the following all and deny all nginx config directives in server context:

  location ~ ^/(wp-admin|wp-login\.php) {
                allow 1.2.3.4;
                deny all;
  }

If your blog located in /blog/ sub-directory, try:

  location ~ ^/blog/(wp-admin|wp-login\.php) {
                allow 1.2.3.4;
                deny all;
  }

Replace 1.2.3.4 with your actual static IP address. Here is a sample config file

upstream apachebackend  {
 server 192.168.1.10:8080 weight=6;
 server 192.168.1.11:8080 weight=5; 
 server 192.168.1.12:8080 weight=5; 
 server 192.168.1.13:8080 weight=5; 
 #server 127.0.0.1:8080 weight=1; 
}
 
server {
      access_log  /var/log/nginx/access.log;
      error_log   /var/log/nginx/error.log;
      index       index.html;
      listen      75.126.153.206:80 default;
      root        /usr/share/nginx/html;
      server_name cyberciti.biz www.cyberciti.biz;
 
  ## PROXY - Web
      location / {
        proxy_pass  http://apachebackend;
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
        proxy_redirect off;
        proxy_buffering off;
 
        proxy_set_header        Host            $host;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      }
      location ~ ^/(wp-admin|wp-login\.php) {
           allow 1.2.3.4;
           deny all;
           proxy_pass  http://apachebackend;
           proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
           proxy_set_header        Host            $host;
           proxy_set_header        X-Real-IP       $remote_addr;
           proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      }
}

Restart / reload the nginx web-server, enter:
# /etc/init.d/nginx reload