Unable to restirct acces by "location / "

I setup a dev environment using the latest ee version. When I attempted to lock down who can access the site by IP #'s, I am getting blocked myself.

I modified the file here /etc/nginx/common/locations.conf

The block I added was ( I am not showing my real IP numbers below )

location / {
    deny  all;

Is this the proper file to make the change?

The dev environment onl has one WordPress site located at /var/www/plap

Thank you.

There doesn’t seem to be an issue with the order of the allow/deny rules (as long as the IPs are correct). But /etc/nginx/common/locations.conf is not the file you should be modifying (it will be overwritten every time there’s an update to EE).

Put the location block in the server block of the relevant vhost file, e.g. I only allow certain IP addresses to access /wp-admin/ on a lot of the WordPress sites on my server thus:

    server {

        location ~* ^/(wp-admin) {
            deny all;


Whether this fixes your issue though…

Thanks for the reply.

Before I posted, I initially put the location here but nginx complained about a duplicate location.


This is what I had.

server {

    server_name plap.com   www.plap.com;

    access_log /var/log/nginx/plap.com.access.log rt_cache;
    error_log /var/log/nginx/plap.com.error.log;

    root /var/www/plap.com/htdocs;

    index index.php index.html index.htm;

    include common/wpfc.conf;
    include common/wpcommon.conf;
    include common/locations.conf;
    include /var/www/plap.com/conf/nginx/*.conf;

        location / {
            deny all;

Error message given is

nginx: [emerg] duplicate location "/" in /etc/nginx/sites-enabled/plap.com:28
nginx: configuration file /etc/nginx/nginx.conf test failed

When I pasted this instead it didn’t complain though.

location ~* ^/(wp-admin) { allow; deny all; }

Maybe I am using the wrong approach to block total access to the WordPress site by only allowing certain IP numbers.

‘location /’ is being defined in the ‘common/wpfc.conf’ file as well as the vhost file, hence the duplication error.

You’re probably better off password-protecting the whole site by creating a .htpasswd file and placing it in /var/www/plap.com/htdocs, then creating an nginx.conf file and putting it in the /var/www/plap.com/conf/nginx directory, which is included by this line in the vhost file: include /var/www/plap.com/conf/nginx/*.conf. Add the following to the nginx.conf file:

auth_basic "Password Protected Site - Under Development";
auth_basic_user_file /var/www/plap.com/.htpasswd;

There are plenty of how-to’s available on how to create the .htpasswd file, here’s a good one:

1 Like

Another option for WordPress sites is to use 10up’s Restricted Site Access plugin:

It hasn’t been updated in a while but works fine and was created by a reputable company in the WordPress ecosphere.

This plug-in didn’t work with the latest WordPress version. I implemented your nginx solution and worked like a charm.

Glad I could help.

I just checked the Restricted Site Access plugin and you’re right, it doesn’t seem to work with the latest version of WordPress. I’ve removed it from installs on my server - I prefer the password-protection system of dev sites anyway, because at least you knows it’s working (you’re asked for a password every time).