Nginx wp-admin access control
Ian Hobson
hobson42 at gmail.com
Wed Apr 15 11:33:55 UTC 2020
Hi Lawrence,
I installed WP fail2ban and Wordfence Security (free version).
It doesn't stop them trying, but I run a "3 strikes and you are out for
60 minutes" regime. It means only 3-4 attempts an hour instead of
thousands.
I believe there is a plug in that moves the wp-admin location somewhere
else as well, but I have not bothered.
Regards
Ian
On 15/04/2020 11:52, Lawrence wrote:
> Greetings All,
>
> To start, I am very much a beginner to nginx and coding. I am a
> application support engineer, but got very little development skills.
> I hope that there is someone out there that can guide me through this maze.
>
> I have searched the web and have seen multiple solutions but none seem
> to work exactly how I want it to work.
>
> My nginx server setup, I am running and managing the config for nginx
> from the /etc/nginx/nginx.conf file
>
> I have 5 seperate sites under sites-enabled.
> Each site has it's own config file where I have tried to manage and
> block access to my two wordpress sites on wp-admin/wp-login.
>
> The site www.atlantic-kids-academy.com and www.hockeysticks4clubs.com
> are running on wordpress.
>
> The issue I have is that literally thousands of attempts are made on the
> site everyday trying to access the wp-admin or wp-login
>
> My goal is to have the sites available but the access to all wp admin
> must be limited.
> below are a few of the solutions I found. Non seem to work fully. I
> assume it is my understanding of nginx configuration.
>
> method #1 -- test unsuccessfully.
> URL:
> https://graspingtech.com/block-access-wordpress-admin-area-nginx/
>
>
> location ~ \.php$ {
> location ~ \wp-login.php$ {
> allow 192.168.1.11;
> deny all;
> include fastcgi.conf;
> fastcgi_intercept_errors on;
> fastcgi_pass unix:/run/php/php7.0-fpm.sock;
> }
> include fastcgi.conf;
> fastcgi_intercept_errors on;
> fastcgi_pass unix:/run/php/php7.0-fpm.sock;
> }
>
>
> method #2 -- tested unsuccessfully.
> URL
> https://websiteforstudents.com/block-access-wordpress-wp-admin-via-nginx-ubuntu-17-04-17-10/
>
>
> location ~ ^/(wp-admin|wp-login\.php) {
> try_files $uri $uri/ /index.php?$args;
> index index.html index.htm index.php;
> allow 68.66.XX.111;
> deny all;
> error_page 403 = @wp_admin_ban;
> }
>
> location @wp_admin_ban {
> rewrite ^(.*) https://example.com permanent;
> }
> location /wp-admin/admin-ajax.php {
> allow all;
> }
>
> method #3 -- tested and not fully functional. The issues that I have
> seen with this are listed below.
> it blocks on a countrylevel
> when opening the wp-admin page, I am first met with logging into the
> wordpress itself, and then after am I prompted with the .htpasswd
> authentication.
>
> Any help / advice would be very much appreciated.
>
> URL:
> https://www.openprogrammer.info/2013/07/12/protecting-wp-admin-wp-login-php-nginx/
>
>
> location ~ ^/(wp-login\.php){
> auth_basic "Administrator Login";
> auth_basic_user_file /home/nginx/domains/yourlocation/private/.htpasswd;
> include /usr/local/nginx/conf/php.conf;
> }
>
> location /wp-admin {
> location ~ ^/(wp-admin/admin-ajax\.php) {
> include /usr/local/nginx/conf/php.conf;
> }
> location ~* /wp-admin/.*\.php$ {
> auth_basic "Administrator Login";
> auth_basic_user_file
> /home/nginx/domains/yourlocation/private/.htpasswd;
> include /usr/local/nginx/conf/php.conf;
> }
> }
>
>
> location ~ .*\.(php|php4|php5|pl|py)?$ {
> location ~ ^/(wp-comments-post\.php$)
> allow all;
> include /usr/local/nginx/conf/php.conf;
> break;
> }
> #deny all;
> rewrite ^(.*)$ / redirect;
> }
>
> Thanks
> Lawrence
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
--
Ian Hobson
Tel (+351) 910 418 473
--
This email has been checked for viruses by AVG.
https://www.avg.com
More information about the nginx
mailing list