This brief tutorial shows students and new users how to whitelist or limit WordPress admin access based on an IP address when using the Nginx HTTP server.
When you set up your WordPress website online, you will immediately see bots and scanners loading your wp-admin.php file.
This attempt to gain access to your admin dashboard is known as a brute-force attack. This is the most commonly used attack on the Internet today. It tries usernames and passwords, over and over again, until it gets a successful login.
In most cases, this will never work. However, if you use admin as your username with a simple-to-guess password, then the likelihood that this attack working on your site is high.
Due to the nature of these attacks, you may find your server’s resources being used up causing performance problems. This is because the number of HTTP requests is so high that the servers run out of resources.
You will have to increase your server resources to be able to withstand more of these.
When you using Nginx, you can stop these attacks quickly by restricting the admin login page to only approved IP addresses.
The steps below will show you how to do that.
To get started with restricting the WordPress admin page via IP address, follow the steps below:
Setup WordPress on Nginx
For this tutorial, we will use an Ubuntu host with an Nginx HTTP server running WordPress. We’re not going to show how to install Nginx and how to set up WordPress.
You can find tutorials about Nginx and WordPress by searching this site.
That being said, we set up Ubuntu with Nginx and installed WordPress with all the default settings.
Configure Nginx
If you already have a working WordPress site running on Nginx, follow the steps below to get the WordPress admin dashboard restricted via IPs.
For this tutorial, our WordPress VirtualHost file is at /etc/nginx/sites-available/default
Run the commands below to open the VirtualHost file.
sudo nano /etc/nginx/sites-available/default
Then copy and block below and paste it into the server block as shown below:
error_page 403 http://example.com.com/blocked.html;
location = /wp-login.php {
allow 192.168.1.1;
allow 172.16.1.1;
deny all;
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
}
The code above lists allowed IP addresses. These are the IPs that should be allowed to access the admin dashboard.
We’re also using PHP7.4-FPM with WordPress.
Our error_page is a custom page that has a brief HTML syntax. An example page is below:
sudo nano /var/www/html/blocked.html
<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html> <head> <title>404 - Are you sure you want to go there?</title> </head> <body> <h1>Are you sure you want to go there?</h1> <p>You're here because we think that is a really bad idea.</p> <hr> <p>Varnish cache server</p> </body> </html>
Now, copy the block code above and paste it into your working WordPress server block.
server {
listen 80;
listen [::]:80;
root /var/www/html;
index index.php index.html index.htm;
server_name example.com www.example.com;
client_max_body_size 100M;
autoindex off;
location / {
try_files $uri $uri/ /index.php?$args;
}
error_page 403 http://example.com.com/blocked.html;
location = /wp-login.php {
allow 192.168.1.1;
allow 172.16.1.1;
deny all;
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
Save the file and exit.
Restart Nginx.
sudo systemctl reload nginx
Now go and test. The next time an IP that is not approved tries to log on to the admin portal then will get a message shown in the blocked.html file above.
That’s it!
Conclusion:
This post showed you how to restrict the WordPress admin portal to only approved IP addresses. If you find any error above, please report it in the comment form below.
You may also like the post below:
Leave a Reply