Block Access to WordPress WP-Admin via Nginx on Ubuntu 17.04 / 17.10

This brief tutorial shows students and new users how to block access to WordPress Admin Dashboard from unknown IP addresses and allow only IP addresses that are defined in Nginx configurations. This is one of many ways to protect and lock down your WordPress dashboard from unauthorized access or hackers who might want to hack into your WordPress admin site.

The method I’m going to describe below will allow only IP addresses are defined in the setup and block all others. Then all the blocked IPs will automatically be redirected to the site home page. You can choose to send the blocked traffic to any page you’d like but this method will send them to the main home page.

When you’re ready to configure these settings on Nginx to lock down WordPress Admin dashboard, continue below

Step 1: Install and Configure Nginx

Before configuring the settings below, you must first have a working WordPress site powered by Nginx. I’m not going to detail the steps necessary to install and configure WordPress.. you can search this site for tutorials on how to do that.

Once you’ve successfully installed and configured WordPress on Nginx and everything is working, you can continue below to lock down WordPress admin portal.

Step 2: Lock Down WordPress Admin Portal

Now that you’ve successfully installed and configured WordPress, open the WordPress site configuration file and add the below block of code into the file and save it.

 location ~ ^/(wp-admin|wp-login\.php) {
                try_files $uri $uri/ /index.php?$args;
                index index.html index.htm index.php;
                allow 207.67.XX.XXX;
                allow 63.151.XXX.XX;
                allow 68.66.XX.111;
                deny all;
                error_page 403 = @wp_admin_ban;
    location @wp_admin_ban {
           rewrite ^(.*) permanent;
    location /wp-admin/admin-ajax.php {
       allow all;

Save the

The settings above block all unauthorized IPs from accessing  wp-admin / wp-login directory. Instead, those blocked IPs will be redirected to the home page of the website defined in the rewrite rule for @wp_admin_ban.

The settings allow allow all to access the specific /wp-admin/admin-ajax.php file since some plugins and script depend on it to function properly.

When you’re done, your WordPress admin page should be locked down to only users coming from the IP addresses specified.


You may also like the post below:

Setup Nginx as Reverse Proxy for Apache2 on Ubuntu 17.04 / 17.10