How to IP Whitelist WordPress Admin Page with Nginx



The tutorial guides users in protecting their WordPress admin portal from brute-force attacks on Nginx HTTP server by whitelisting specific IP addresses. It implies that limiting access to the WordPress admin page can prevent server resource drainage induced by numerous unauthorized HTTP requests. The process involves modifying the WordPress VirtualHost file to include lines of…

This brief tutorial shows students and new users how to whitelist or limit WordPress admin access based on an IP address when using the Nginx HTTP server.

When you set up your WordPress website online, you will immediately see bots and scanners loading your wp-admin.php file.

This attempt to gain access to your admin dashboard is known as a brute-force attack. This is the most commonly used attack on the Internet today. It tries usernames and passwords, over and over again, until it gets a successful login.

In most cases, this will never work. However, if you use admin as your username with a simple-to-guess password, then the likelihood that this attack working on your site is high.

Due to the nature of these attacks, you may find your server’s resources being used up causing performance problems. This is because the number of HTTP requests is so high that the servers run out of resources.

You will have to increase your server resources to be able to withstand more of these.

When you using Nginx, you can stop these attacks quickly by restricting the admin login page to only approved IP addresses.

The steps below will show you how to do that.

To get started with restricting the WordPress admin page via IP address, follow the steps below:

Setup WordPress on Nginx

For this tutorial, we will use an Ubuntu host with an Nginx HTTP server running WordPress. We’re not going to show how to install Nginx and how to set up WordPress.

You can find tutorials about Nginx and WordPress by searching this site.

That being said, we set up Ubuntu with Nginx and installed WordPress with all the default settings.

Configure Nginx

If you already have a working WordPress site running on Nginx, follow the steps below to get the WordPress admin dashboard restricted via IPs.

For this tutorial, our WordPress VirtualHost file is at /etc/nginx/sites-available/default

Run the commands below to open the VirtualHost file.

sudo nano /etc/nginx/sites-available/default

Then copy and block below and paste it into the server block as shown below:

    error_page  403;
    location = /wp-login.php {
            deny    all;
    include snippets/fastcgi-php.conf;
    fastcgi_pass unix:/run/php/php7.4-fpm.sock;

The code above lists allowed IP addresses. These are the IPs that should be allowed to access the admin dashboard.

We’re also using PHP7.4-FPM with WordPress.

Our error_page is a custom page that has a brief HTML syntax. An example page is below:

sudo nano /var/www/html/blocked.html

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    <title>404 - Are you sure you want to go there?</title>
    <h1>Are you sure you want to go there?</h1>
    <p>You're here because we think that is a really bad idea.</p>
    <p>Varnish cache server</p>

Now, copy the block code above and paste it into your working WordPress server block.

server {
    listen 80;
    listen [::]:80;
    root /var/www/html;
    index  index.php index.html index.htm;

     client_max_body_size 100M;
     autoindex off;

    location / {
        try_files $uri $uri/ /index.php?$args;

    error_page 403;
    location = /wp-login.php {
     deny all;
     include snippets/fastcgi-php.conf;
     fastcgi_pass unix:/run/php/php7.4-fpm.sock;

    location ~ \.php$ {
         include snippets/fastcgi-php.conf;
         fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         include fastcgi_params;

Save the file and exit.

Restart Nginx.

sudo systemctl reload nginx

Now go and test. The next time an IP that is not approved tries to log on to the admin portal then will get a message shown in the blocked.html file above.

WordPress IP Whitelist

That’s it!


This post showed you how to restrict the WordPress admin portal to only approved IP addresses. If you find any error above, please report it in the comment form below.

You may also like the post below:

Like this:

3 responses to “How to IP Whitelist WordPress Admin Page with Nginx”

  1. Ed Avatar

    When the hackers attack wp-admin.php continuously will this not affect server performance despite limiting by IP?
    And how could we ban the attacking IP?

  2. Olivier Avatar


    I would suggest to change the because of the “404” (error code usually used for content not found) in it

    404 – Are you sure you want to go there?

    replaced by

    403 – Are you sure you want to go there?

  3. Olivier Avatar

    It is possible to block at server level or webserver level.

    To block at webserver level (nginx here), you just have to add the same rule used in this article but “higher” in the nginx config file.

    to block ip address for ALL webpages (instead of just the wp-login.php page)
    add “deny;” just before “location / { (…) } “

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.