Skip to main content

Limit Access to wp-admin Based on IP

How to limit access to wp-admin and wp-login.php based on IP with Nginx configuration file.

Limiting access to wp-admin based on IP address can be achieved with Nginx configuration file. You can create a new file with a .conf extension on the server within the /data/wordpress/nginx/ directory:

location ~ /wp-login.php {

  # Allow Seravo monitoring
  include /data/wordpress/nginx/seravo-monitoring.rules;

  # Allow Seravo cluster IP's
  include /data/wordpress/nginx/seravo-cluster-ip-list.rules;

  # List of allowed IP's
  include /data/wordpress/nginx/allowed-ip-list.rules;

  # Deny everything else for this location
  deny all;

  # Pass valid requests to PHP-FPM
  include /data/wordpress/nginx/pass-php-fpm.rules;
}

location ~ /wp-admin^ {

  # Allow Seravo monitoring
  include /data/wordpress/nginx/seravo-monitoring.rules;

  # Allow Seravo cluster IP's
  include /data/wordpress/nginx/seravo-cluster-ip-list.rules;

  # List of allowed IP's
  include /data/wordpress/nginx/allowed-ip-list.rules;

  # Deny everything else for this location
  deny all;

  # Pass valid requests to PHP-FPM
  include /data/wordpress/nginx/pass-php-fpm.rules;
}

Allow our monitoring to access site by creating seravo-monitoring.rules file:

allow 94.237.85.150;
allow 2a04:3542:1000:910:7c25:3fff:fe79:23da;

Allow our cluster IP-addresses to access site by creating seravo-cluster-ip-list.rules file. You can get list of cluster IP-addresses with command srv system metadata:

allow 95.217.75.239;
allow 2a01:4f9:4a:1b50::2;

Create allowed-ip-list.rules files and include IP-addresses that you wish to grant access:

allow <your IP address>;

Create pass-php-fpm.rules file to pass valid requests to PHP-FPM:

# Only run valid PHP files. Invalid PHP file calls get a 404 response from Nginx in a few milliseconds instead of a slow response from WordPress
try_files $uri =404;

# Failover to next backend for if first backend fails
fastcgi_next_upstream error timeout invalid_header http_500 http_404;

# Only one backup fastcgi backend is defined, don't go further.
fastcgi_next_upstream_tries 1;

# Send no-cache headers to proxy cache if $nocache is set. This allows for easier cache rules for the user
if ($nocache) {
  add_header Cache-Control "no-cache";
  add_header Cache-Control "no-store";
  add_header Pragma "expire";
  add_header Expires "0";
}

fastcgi_read_timeout 180;
fastcgi_pass   $mode;
fastcgi_index  index.php;
fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
include        fastcgi_params;
limit_req zone=loginflood nodelay burst=3;

After creating all necessary files use wp-restart-nginx command to activate your changes.

Login Page Restriction Based on Location

It is also possible to set a location-based restriction for the WordPress login page. Edit the country codes in the example below to implement the desired restriction.

location ~ /wp-login.php { 
   if ( $http_x_seravo_geo_country_code !~* "(FI|SE|ES)" ) 
   return 403; 
   } 
}

Warning!

Seravo's monitoring also checks the login page, so restrictions you set may interfere it doing so. Be sure to allow our monitoring access to the site whenever you set restrictions.

Since country-specific restrictions may also prevent legitimate users from accessing the site, we instead recommend installing a reCaptcha plugin and making use of two-factor authentication when logging in.

Related Articles
Restricting Access
How to Use WP-CLI Tools?
Logs Available for the Site
Restricting Cache and Setting Headers
List of Commands and Tools
Did this answer your question?