Protect WordPress Login page and admin panel

If you run a WordPress site and have any knid of network monitoring you’ll see endless brute force attempts on your login page.

A strong password will only do so much, so really you want the login page to only be available to legitimate IP adresses.

This is easy to achieve and offers great protection as if someone requests the login page but they are not connecting from a listed IP the page will not show.

First we need to go to our active config file. On LEMP running wordpress we go to.

sudo nano /etc/nginx/sites-enabled/wordpress

Then we add the following to our server block in its own location container. (Replace 11.11.11.111 with your own IP)

location ~ ^/(wp-admin|wp-login.php){

allow 11.11.11.111;

deny all;}

And that’s it. You can access your login page and admin panel, but it’s not vailable to the rest of the internet. If your site is not using https then you should seriously consider setting up a VPN to login and administer your site.