How to IP Whitelist WordPress Admin Page with Nginx

This brief tutorial shows students and new users how to whitelist or limit WordPress admin access based on IP address when using Nginx HTTP server.

When you setup your WordPress website online, almost immediately you will begin to see bots and scanners loading your wp-admin.php file.

This is an attempt to gain access to your admin dashboard, and is known as brute-force attack. This the most commonly used attack on the Internet today. It tries usernames and passwords, over and over again, until it gets a successful login.

In most cases this will never work. However, if you use admin as your username with a simple to guess password, then the likelihood that this attack working on your site is high.

Due to the nature of these attacks, you may find your server’s resources being used up causing performance problems. This is because the number of http requests are so high that the servers run out of resources.

You will have to increase your server resources to be able to withstand more of these.

When you using Nginx, you can stop these attacks quickly by restricting the admin login page to only approved IP addresses.

This steps below will how you how to do that.

To get started with restricting WordPress admin page via IP address, follow the steps below:

Step 1: Setup WordPress on Nginx

For this tutorial, we’re going to be using Ubuntu host with Nginx HTTP server running WordPress. We’re not going to show how to install Nginx and how to setup WordPress.

You can find tutorials about Nginx and WordPress by searching this site.

That being said, we setup Ubuntu with Nginx and installed WordPress with all the default settings.

Step 2: Configure Nginx

If you already have a working WordPress site running on Nginx, simply follow the steps below to get WordPress admin dashboard restricted via IPs.

For this tutorial, our WordPress VirtualHost file is at /etc/nginx/sites-available/default

Run the commands below to open the VirtualHost file.

sudo nano /etc/nginx/sites-available/default

Then copy and block below and paste it into the server block as shown below:

    error_page  403  http://example.com.com/blocked.html;
    location = /wp-login.php {
            allow   192.168.1.1;
            allow   172.16.1.1;
            deny    all;
    include snippets/fastcgi-php.conf;
    fastcgi_pass unix:/run/php/php7.4-fpm.sock;
    }

The code above list allowed IP addresses. These are the IPs that should be allowed to access the admin dashboard.

We’re also using PHP7.4-FPM with WordPress.

Our error_page is a custom page that has brief HTML syntax. An example page is below:

sudo nano /var/www/html/blocked.html

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
  <head>
    <title>404 - Are you sure you want to go there?</title>
  </head>
  <body>
    <h1>Are you sure you want to go there?</h1>
    <p>You're here because we think that is a really bad idea.</p>
    <hr>
    <p>Varnish cache server</p>
  </body>
</html>

Now, copy the block code above and paste it into your working WordPress server block.

server {
    listen 80;
    listen [::]:80;
    root /var/www/html;
    index  index.php index.html index.htm;
    server_name  example.com www.example.com;

     client_max_body_size 100M;
  
     autoindex off;

    location / {
        try_files $uri $uri/ /index.php?$args;
     }

    error_page 403 http://example.com.com/blocked.html;
    location = /wp-login.php {
     allow 192.168.1.1;
     allow 172.16.1.1;
     deny all;
     include snippets/fastcgi-php.conf;
     fastcgi_pass unix:/run/php/php7.4-fpm.sock;
     }

    location ~ \.php$ {
         include snippets/fastcgi-php.conf;
         fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         include fastcgi_params;
    }
}

Save the file and exit.

Restart Nginx.

sudo systemctl reload nginx

Now go and test. The next time an IP that is not approved tries to logon to the admin portal, then will get a message show in the blocked.html file above.

WordPress IP Whitelist

That’s it!

Conclusion:

This post showed you how to restrict WordPress admin portal to only approved IP address. If you find any error above, please use the comment form below to report it.

You may also like the post below:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.