Secure your WordPress Admin allowing access to only one IP Address on Nginx


If you are a WordPress editor/admin and you are worried about it’s security, there is one wonderful thing you can do to protect your WordPress admin page. You can set a blocking rule to allow access to WordPress admin only for your public IP, and deny the rest of the people that try to load /wp-admin or /wp-login.php urls.  This type of security will protect you against most brute force attacks to your WordPress administration area.

The easiest way to block WordPress Admin URLs and is using an allow/deny rule on Nginx configuration file. Let’s begin.

Edit nginx.conf file

nano -w /etc/nginx/nginx.conf

Add the following code to your Nginx configuration (inside the server block):

location ~ ^/(wp-admin|wp-login.php) { allow xx.xx.xx.xx; deny all; }

However, if your blog located in /blog/ path, better try this:

location ~ ^/blog/(wp-admin|wp-login.php) { allow xx.xx.xx.xx; deny all; }

Replace xx.xx.xx.xx with your actual static IP address.

Reload Nginx to apply the changes:

 service nginx reload

Testing the WordPress protection

Run this command from a shell outside your network:

 curl -I

If you get 403 response from outside your allowed network (the IP you allowed before at nginx config), then it’s working. Other way to test it is just to load the URL from a Browser on a network outside your allowed IP.


Leave a Reply