Block Access to WordPress WP-Admin via Nginx on Ubuntu 17.04 | 17.10

installing ssl nginx

This brief tutorial shows students and new users how to block access to WordPress Admin Dashboard from unknown IP addresses and allow only IP addresses that are defined in Nginx configurations. This is one of many ways to protect and lock down your WordPress dashboard from unauthorized access or hackers who might want to hack into your WordPress admin site.

The method I’m going to describe below will allow only IP addresses are defined in the setup and block all others. Then all the blocked IPs will automatically be redirected to the site home page. You can choose to send the blocked traffic to any page you’d like but this method will send them to the main home page.

When you’re ready to configure these settings on Nginx to lock down WordPress Admin dashboard, continue below

Step 1: Install and Configure Nginx

Before configuring the settings below, you must first have a working WordPress site powered by Nginx. I’m not going to detail the steps necessary to install and configure WordPress. you can search this site for tutorials on how to do that.

Once you’ve successfully installed and configured WordPress on Nginx and everything is working, you can continue below to lock down WordPress admin portal.

Step 2: Lock Down WordPress Admin Portal

Now that you’ve successfully installed and configured WordPress, open the WordPress site configuration file and add the below block of code into the file and save it.

error_page 403;
location = /wp-login.php { 
    deny all;
    include snippets/fastcgi-php.conf;
    fastcgi_pass unix:/run/php/php7.4-fpm.sock;

Save the

The settings above block all unauthorized IPs from accessing  wp-admin / wp-login directory. Instead, those blocked IPs will be redirected to the home page of the website defined in the rewrite rule for

The settings allow allow all to access the specific /wp-admin/admin-ajax.php file since some plugins and script depend on it to function properly.

When you’re done, your WordPress admin page should be locked down to only users coming from the IP addresses specified.


You may also like the post below:


  1. What if I have the wp-admin renamed to something else like administration. Do I need to edit the script like this?

    location ~ ^/(administration|wp-login\.php) {
    try_files $uri $uri/ /index.php?$args;
    index index.html index.htm index.php;
    allow 207.67.XX.XXX;
    allow 63.151.XXX.XX;
    allow 68.66.XX.111;
    deny all;
    error_page 403 = @wp_admin_ban;

    location @wp_admin_ban {
    rewrite ^(.*) permanent;
    location /administration/admin-ajax.php {
    allow all;

  2. Now prompts me to download & save the wp-login.php page
    Perhaps you could share a bit more of your config.

  3. When i add it in to my config the whole website stop working and give ERROR 500 HTTP.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.