Cannot block IP access to wp-login.php



I’m experiencing attacks to wp-login.php so I decided to protect it. here is the code:

# Block wp-admin or wp-login.php from all but our IPs
location ~ ^/(wp-admin|wp-login.php) {
allow x.x.x.x;
deny all;

I placed this code to /etc/nginx/common/locations.conf

It protects wp-admin directory OK but the protection of wp-login.php doesn’t work. It allows me to access the wp-login.php whatever IP I use. Any idea ?


i personally use fail2ban to do this. there is a plugin you install into wordpress and it creates the relevant log entries on the system, and fail2ban picks it up and bans the ip as you tell it too, 10 min, 1 hour, 10 hours whatever.

let us know how it goes.


I prefer just to protect the wp-login.php for specific IP, it should be simple solution (if it works :wink: ) Unfortunately it doesn’t :frowning:


Looks like you may have used our solution from Where to white list wp-admin / wp-login to specifc ips

BUT, there’s one additional step. We had to mod wpcommon.conf and insert our block in a few places. Instead of adding a bunch of lines / blocks, we did an include. It isn’t ideal, but it works.

# Limit access to avoid brute force attack
location = /wp-login.php {
        ## 04/08/2015 - Edwards, David - Mod to restrict wp admin
        include /etc/nginx/common/wp-restrict-admin-ip.conf;
        ## End restrict mod
        limit_req zone=one burst=1 nodelay;
        include fastcgi_params;
        fastcgi_pass php;
## 04/08/2015 - Edwards, David - Mod to restrict wp admin
## New blocks
location ~ ^wp-admin {
  include /etc/nginx/common/wp-restrict-admin-ip.conf;

location ~* ^/wp-admin/admin-ajax.php$ {
  allow all;
location ~* ^/wp-admin/.*\.php {
  include /etc/nginx/common/wp-restrict-admin-ip.conf;

## End New Blocks


And note, wp-restrict-admin-ip.conf contains all the allows with a final deny. For example,

#Our WAN
allow x.x.x.x;
#Remote Site 1
allow x.x.x.x;
#Remote Site 2
allow x.x.x.x;
deny all;

In order to make this work properly with ee we had to insert that in a few places in the wpcommon.conf, so we just listed the ips in one file and included it where we needed to.

I believe your’s isn’t working because the std ee limit brute force in wpcommon.conf is hit before your locations.conf directives.


I prefer to install WPS Hide Login and “rename” wp-login.php to something else I’m the only one who knows.

And using fail2ban I block every single IP that tries to connect to wp-login.php (using it as a honeypot, in other words). It works for me.


hey @janiosarmento

when you rename the wp-login.php is there anything else you have to do?

would renaming the wp-login.php to something.php break other files that call wp-login.php as a reference?


I just install WPS Hide Login and forget about it. Never had any issues, neither my customers.

Of course your mileage may vary, but you should give it a try in order to find your answers. :slight_smile:


what is the fail2ban jail configuration you use. Can you share


There are tutorials to block login attempts but how to block even when someone access the url wp-login.php