Nginx wp-admin access control

Lawrence lawrence at begame.nl
Wed Apr 15 10:52:59 UTC 2020


Greetings All,

To start, I am very much a beginner to nginx and  coding. I am a application support engineer, but got very little  development skills.
I hope that there is someone out there that can guide me through this maze.

I have searched the web and have seen multiple solutions but none seem to work exactly how I want it to work.

My nginx server setup, I am running and managing the config for nginx from the /etc/nginx/nginx.conf file

I have 5 seperate sites under sites-enabled.
Each site has it's own config file where I have tried to manage and block access to my  two wordpress sites on wp-admin/wp-login.

The site www.atlantic-kids-academy.com and www.hockeysticks4clubs.com are running on wordpress.

The issue I have is that literally thousands of attempts are made on  the site everyday trying to access the wp-admin or wp-login



My goal is to have the sites available but the access to all wp admin must be limited.
below are a few of the solutions I found. Non seem to work fully. I assume it is my understanding of nginx configuration.

method #1  -- test unsuccessfully.
URL: 
https://graspingtech.com/block-access-wordpress-admin-area-nginx/


location ~ \.php$ {
  location ~ \wp-login.php$ {
    allow 192.168.1.11;
    deny all;
    include fastcgi.conf;
    fastcgi_intercept_errors on;
    fastcgi_pass unix:/run/php/php7.0-fpm.sock;
  }
  include fastcgi.conf;
  fastcgi_intercept_errors on;
  fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}


method #2 -- tested unsuccessfully.
URL
https://websiteforstudents.com/block-access-wordpress-wp-admin-via-nginx-ubuntu-17-04-17-10/


 location ~ ^/(wp-admin|wp-login\.php) {
                try_files $uri $uri/ /index.php?$args;
                index index.html index.htm index.php;
                allow 68.66.XX.111;
                deny all;
                error_page 403 = @wp_admin_ban;
     }
 
    location @wp_admin_ban {
           rewrite ^(.*) https://example.com permanent;
     }
    location /wp-admin/admin-ajax.php {
       allow all;
    }



method #3 -- tested and not fully functional. The issues that I have seen with this are listed below.
it blocks on a countrylevel
when opening the wp-admin page, I am first met with logging into the wordpress itself, and then after am I prompted with the .htpasswd authentication.



Any help / advice would be very much appreciated.

URL:
https://www.openprogrammer.info/2013/07/12/protecting-wp-admin-wp-login-php-nginx/


location ~ ^/(wp-login\.php){
  auth_basic "Administrator Login";
  auth_basic_user_file /home/nginx/domains/yourlocation/private/.htpasswd;
  include /usr/local/nginx/conf/php.conf;
}

location /wp-admin {
  location ~ ^/(wp-admin/admin-ajax\.php) {
    include /usr/local/nginx/conf/php.conf;
  }
  location ~* /wp-admin/.*\.php$ {
    auth_basic "Administrator Login";
    auth_basic_user_file /home/nginx/domains/yourlocation/private/.htpasswd;
    include /usr/local/nginx/conf/php.conf;
  }
}


location ~ .*\.(php|php4|php5|pl|py)?$ {
    location ~ ^/(wp-comments-post\.php$)
       allow all;
       include  /usr/local/nginx/conf/php.conf;
        break;
    }
   #deny all;
   rewrite  ^(.*)$ / redirect;
}

Thanks
Lawrence
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20200415/ec4e1e53/attachment-0001.htm>


More information about the nginx mailing list