Geek Rewind

Secure WordPress Admin Access with IP Whitelisting

Richard

ยท

This article outlines how to enhance WordPress security by restricting admin access via IP address using the Nginx server. By allowing only specified trusted IPs, users can protect their sites from unauthorized logins. The guide provides detailed steps for configuration and testing to ensure proper access restrictions.

This article explains how to whitelist or limit WordPress admin access based on an IP address when using the Nginx HTTP server.

WordPress is a popular open-source content management system (CMS) allowing users to create and manage websites easily.

Configuring IP allowlisting for the admin page (wp-admin area) is an important security measure to protect your WordPress site from unauthorized access. By specifying a list of trusted IP addresses that are permitted to access the admin area, you can significantly reduce the risk of brute force attacks and other hacking attempts.

If someone tries to access your admin page from an IP address that isn’t on the allowed list, they will be unable to reach the login page, which adds an extra layer of security to your site.

WordPress IP Whitelist

This tutorial uses an Ubuntu host with an Nginx HTTP server running WordPress. We will not demonstrate how to install Nginx or set up WordPress.

If you have a functioning WordPress site on Nginx, follow the steps below to restrict access to the WordPress admin dashboard by IP addresses..

For this tutorial, our WordPress VirtualHost file is at /etc/nginx/sites-available/default

Run the commands below to open the VirtualHost file.

sudo nano /etc/nginx/sites-available/default

Then, copy the text below and paste it into the server block as indicated:

    error_page  403  http://example.com.com/blocked.html;
    location = /wp-login.php {
            allow   192.168.1.1;
            allow   172.16.1.1;
            deny    all;
    include snippets/fastcgi-php.conf;
    fastcgi_pass unix:/run/php/php7.4-fpm.sock;
    }

The code above specifies the allowed IP addresses for access to the admin dashboard.

We’re also using PHP7.4-FPM with WordPress.

Our error_page is a custom page that has a brief HTML syntax. An example page is below:

sudo nano /var/www/html/blocked.html
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
  <head>
    <title>404 - Are you sure you want to go there?</title>
  </head>
  <body>
    <h1>Are you sure you want to go there?</h1>
    <p>You're here because we think that is a really bad idea.</p>
    <hr>
    <p>Varnish cache server</p>
  </body>
</html>

Please copy the code block above and paste it into the appropriate section of your WordPress server.

server {
    listen 80;
    listen [::]:80;
    root /var/www/html;
    index  index.php index.html index.htm;
    server_name  example.com www.example.com;


    location / {
        try_files $uri $uri/ /index.php?$args;
     }

    error_page 403 http://example.com.com/blocked.html;
    location = /wp-login.php {
     allow 192.168.1.1;
     allow 172.16.1.1;
     deny all;
     include snippets/fastcgi-php.conf;
     fastcgi_pass unix:/run/php/php7.4-fpm.sock;
     }

    location ~ \.php$ {
         include snippets/fastcgi-php.conf;
         fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         include fastcgi_params;
    }
}

Save the file and exit.

Restart Nginx.

sudo systemctl reload nginx

Now go and test. The next time an IP that is not approved tries to log on to the admin portal then will get a message shown in the blocked.html file above.

WordPress IP Whitelist

That’s it!

Conclusion:

This post showed you how to restrict the WordPress admin portal to only approved IP addresses. If you find any error, please report it in the comment form below.

You may also like the post below:

Richard Avatar
Richard
Richard, the owner and lead writer at Geek Rewind, is a tech enthusiast passionate about simplifying complex IT topics. His years of hands-on experience in system administration and enterprise IT operations have honed his ability to provide practical insights and solutions. Richard aims to make technology more accessible and actionable. He’s deeply committed to the Geek Rewind community, always ready to answer questions and engage in discussions. He enjoys watching football, cheering for the Minnesota Vikings, and spending time with his family when he’s not writing or managing Geek Rewind.
,

Comments

  1. Ed Avatar
    Ed

    When the hackers attack wp-admin.php continuously will this not affect server performance despite limiting by IP?
    And how could we ban the attacking IP?

    Reply
  2. Olivier Avatar
    Olivier

    Hello,

    I would suggest to change the because of the “404” (error code usually used for content not found) in it

    404 – Are you sure you want to go there?

    replaced by

    403 – Are you sure you want to go there?

    Reply
  3. Olivier Avatar
    Olivier

    It is possible to block at server level or webserver level.

    To block at webserver level (nginx here), you just have to add the same rule used in this article but “higher” in the nginx config file.

    to block ip address 1.2.3.4 for ALL webpages (instead of just the wp-login.php page)
    add “deny 1.2.3.4;” just before “location / { (…) } “

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *