How To Restrict Access to wp-login.php in Nginx (IP Address Whitelist)

The default login page of a WordPress website is like this:

example.com/wp-login.php

When you type in

example.com/wp-admin

WordPress will redirect you to the login page if you are not logged in. To protect WordPress from brute-force attack, a WordPress site admin can enable two factor authentication with a WordPress plugin, but I found that inconvenient, because I don’t like to open my phone and enter a six-digit every time I need to login. And WordPress plugins can have vulnerabilities, so I prefer to remove as many plugins as I can.

Instead of enabling two factor authentication with a WordPress plugin, you can restrict access to the login page to your own IP address. Here’s how to do it with Nginx web server.

Edit the Nginx virtual host file, such as

sudo nano /etc/nginx/conf.d/example.com.conf

Add the following lines in the server {...} context.

        location = /wp-login.php {
                try_files $uri =404;
                fastcgi_pass unix:/run/php/php7.3-fpm.sock;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_split_path_info ^(.+\.php)(/.+)$;

                fastcgi_pass_header Set-Cookie;
                fastcgi_pass_header Cookie;
                include fastcgi_params;
                proxy_buffers 16 16k;
                proxy_buffer_size 16k;

                allow 12.34.56.78;
                allow 12.34.56.79;
                deny all;
        }

Replace 12.34.56.78 and 12.34.56.79 with your own IP addresses. Note that I’m using PHP7.3 on my server, you may need to change the fastcgi_pass directive according to your PHP-FPM configuration.

Save and close the file. Then test Nginx configurations.

sudo nginx -t

If the test is successful, reload Nginx.

sudo systemctl reload nginx

Now an attacker would see the 403 forbidden message when trying to access the wp-login.php page.

Restrict Access to wp-login.php in Nginx

Note that if you have enabled static HTML caching in Cloudflare, then you need to purge the example.com/wp-login.php page from the cache.

You can also hide the Nginx server signature. First, you need to install the HttpHeadersMore module.

sudo apt install libnginx-mod-http-headers-more-filter

Then add the following two lines in http context in /etc/nginx/nginx.conf file.

more_set_headers "Server: example.com";
server_tokens off;

Save and close the file. Then reload Nginx.

Rate this tutorial
[Total: 0 Average: 0]

Leave a Reply

Your email address will not be published. Required fields are marked *