How to IP Whitelist WordPress Admin Page with Nginx

This brief tutorial shows students and new users how to whitelist or limit WordPress admin access based on IP address when using the Nginx HTTP server.

When you set up your WordPress website online, almost immediately you will begin to see bots and scanners loading your wp-admin.php file.

This is an attempt to gain access to your admin dashboard and is known as a brute-force attack. This is the most commonly used attack on the Internet today. It tries usernames and passwords, over and over again, until it gets a successful login.

In most cases, this will never work. However, if you use admin as your username with a simple-to-guess password, then the likelihood that this attack working on your site is high.

Due to the nature of these attacks, you may find your server’s resources being used up causing performance problems. This is because the number of HTTP requests is so high that the servers run out of resources.

You will have to increase your server resources to be able to withstand more of these.

When you using Nginx, you can stop these attacks quickly by restricting the admin login page to only approved IP addresses.

The steps below will show you how to do that.

To get started with restricting the WordPress admin page via IP address, follow the steps below:

Setup WordPress on Nginx

For this tutorial, we’re going to be using an Ubuntu host with an Nginx HTTP server running WordPress. We’re not going to show how to install Nginx and how to set up WordPress.

You can find tutorials about Nginx and WordPress by searching this site.

That being said, we set up Ubuntu with Nginx and installed WordPress with all the default settings.

Configure Nginx

If you already have a working WordPress site running on Nginx, simply follow the steps below to get the WordPress admin dashboard restricted via IPs.

For this tutorial, our WordPress VirtualHost file is at /etc/nginx/sites-available/default

Run the commands below to open the VirtualHost file.

sudo nano /etc/nginx/sites-available/default

Then copy and block below and paste it into the server block as shown below:

    error_page  403;
    location = /wp-login.php {
            deny    all;
    include snippets/fastcgi-php.conf;
    fastcgi_pass unix:/run/php/php7.4-fpm.sock;

The code above lists allowed IP addresses. These are the IPs that should be allowed to access the admin dashboard.

We’re also using PHP7.4-FPM with WordPress.

Our error_page is a custom page that has a brief HTML syntax. An example page is below:

sudo nano /var/www/html/blocked.html

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    <title>404 - Are you sure you want to go there?</title>
    <h1>Are you sure you want to go there?</h1>
    <p>You're here because we think that is a really bad idea.</p>
    <p>Varnish cache server</p>

Now, copy the block code above and paste it into your working WordPress server block.

server {
    listen 80;
    listen [::]:80;
    root /var/www/html;
    index  index.php index.html index.htm;

     client_max_body_size 100M;
     autoindex off;

    location / {
        try_files $uri $uri/ /index.php?$args;

    error_page 403;
    location = /wp-login.php {
     deny all;
     include snippets/fastcgi-php.conf;
     fastcgi_pass unix:/run/php/php7.4-fpm.sock;

    location ~ \.php$ {
         include snippets/fastcgi-php.conf;
         fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         include fastcgi_params;

Save the file and exit.

Restart Nginx.

sudo systemctl reload nginx

Now go and test. The next time an IP that is not approved tries to log on to the admin portal then will get a message shown in the blocked.html file above.

WordPress IP Whitelist

That’s it!


This post showed you how to restrict the WordPress admin portal to only approved IP addresses. If you find any error above, please use the comment form below to report it.

You may also like the post below: