When you set up your WordPress website online, almost immediately you will begin to see bots and scanners loading your wp-admin.php file. This is an attempt to gain access to your admin dashboard and is known as a brute-force attack. This is the most commonly used attack on the Internet today. It tries usernames and passwords, over and over again, until it gets a successful login. In most cases, this will never work. However, if you use admin as your username with a simple-to-guess password, then the likelihood that this attack working on your site is high. Due to the nature of these attacks, you may find your server’s resources being used up causing performance problems. This is because the number of HTTP requests is so high that the servers run out of resources. You will have to increase your server resources to be able to withstand more of these. When you using Nginx, you can stop these attacks quickly by restricting the admin login page to only approved IP addresses. The steps below will show you how to do that. To get started with restricting the WordPress admin page via IP address, follow the steps below:

Setup WordPress on Nginx

For this tutorial, we’re going to be using an Ubuntu host with an Nginx HTTP server running WordPress. We’re not going to show how to install Nginx and how to set up WordPress. You can find tutorials about Nginx and WordPress by searching this site. That being said, we set up Ubuntu with Nginx and installed WordPress with all the default settings.

Configure Nginx

If you already have a working WordPress site running on Nginx, simply follow the steps below to get the WordPress admin dashboard restricted via IPs. For this tutorial, our WordPress VirtualHost file is at /etc/nginx/sites-available/default Run the commands below to open the VirtualHost file. Then copy and block below and paste it into the server block as shown below: The code above lists allowed IP addresses. These are the IPs that should be allowed to access the admin dashboard. We’re also using PHP7.4-FPM with WordPress. Our error_page is a custom page that has a brief HTML syntax. An example page is below: sudo nano /var/www/html/blocked.html Now, copy the block code above and paste it into your working WordPress server block. Save the file and exit. Restart Nginx. Now go and test. The next time an IP that is not approved tries to log on to the admin portal then will get a message shown in the blocked.html file above. That’s it! Conclusion: This post showed you how to restrict the WordPress admin portal to only approved IP addresses. If you find any error above, please use the comment form below to report it. You may also like the post below: