Controlling Access to the WordPress Dashboard with NGINX

The file below and directory are the target to restrict the access to admin window.

  • /wp-login.php
  • /wp-admin/ *except for admin-ajax.php

Nginx used in Amimoto AMI can’t handle .htaccess, so you need to edit /etc/nginx/conf.d/default.conf(or /etc/nginx/conf.d/example.com.conf ).
Only the root user can edit the file, so change the user to su - .

server {
    listen      80 default;
    server_name _;
    root        /var/www/vhosts/example.com;
    index       index.html index.htm;
    charset     utf-8;
    access_log  /var/log/nginx/example.com.access.log  main;
    error_log   /var/log/nginx/example.com.error.log;

    include     /etc/nginx/drop;

    rewrite /wp-admin$ $scheme://$host$uri/ permanent;
    #rewrite ^(.*)(index|home|default)\.html? $1 permanent;

    set $mobile '';
    #include /etc/nginx/mobile-detect;

    location ~* ^/wp-(content|admin|includes) {
        index   index.php index.html index.htm;
        if ($request_filename ~ .*\.php) {
            break;
            proxy_pass http://backend;
        }
        include /etc/nginx/expires;
    }

    #location ~* \.(js|css|html?|xml|gz|jpe?g|gif|png|swf|wmv|flv|ico)$ {
    #    index   index.html index.htm;
    #    include /etc/nginx/expires;
    #}    location / {
        if ($request_filename ~ .*\.php) {
            break;
            proxy_pass http://backend;
        }
        include /etc/nginx/expires;
        set $do_not_cache 0;
        if ($http_cookie ~* "comment_author_|wordpress_(?!test_cookie)|wp-postpass_" ) {
            set $do_not_cache 1;
        }
        if ($request_method = POST) {
            set $do_not_cache 1;
        }
        proxy_no_cache     $do_not_cache;
        proxy_cache_bypass $do_not_cache;
        proxy_redirect     off;
        proxy_cache        czone;
        proxy_cache_key    "$scheme://$host$request_uri$mobile";
        proxy_cache_valid  200 0m;
        proxy_pass http://backend;
    }    #
    # When you use phpMyAdmin, uncomment the line "include /etc/nginx/phpmyadmin;"
    # and delete or comment out the below line "location ~* /(phpmyadmin|myadmin|pma) { }".
    #
    #include     /etc/nginx/phpmyadmin;
    location ~* /(phpmyadmin|myadmin|pma) {
        access_log off;
        log_not_found off;
        return 404;
    }    #
    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}

Control with IP addresses.

Add the code below around line 20 (just above the line begin with “location”):

location ~* /wp-login\.php|/wp-admin/((?!admin-ajax\.php).)*$ {
    index index.php index.html index.htm;    # Allowing IP addresses
    allow 192.168.0.1;
    deny all;    if ($request_filename ~ .*\.php) {
        break;
        proxy_pass http://backend;
    }
    include /etc/nginx/expires;
}

Add IP addresses like allow 192.168.0.1;.

Control with the basic authentication

At first, create .htpasswd file.
Then log in with SSH and change user to root by su -.

Create .htpasswd st /etc/nginx/conf.d/ , and suppose the user of Basic authentication is “wpbasic”, enter like below:

# htpasswd -c /etc/nginx/conf.d/.htpasswd wpbasic

Then it will prompt you to enter a new password and enter it again.

New password:
Re-type new password:

After that, the message “Adding password for user wpbasic” will be displayed.

When you succeed, please add the code below at around line 20 (just above the line beginning with “location”) of /etc/nginx/conf.d/default.conf (or /etc/nginx/conf.d/example.com.conf )

location ~* /wp-login\.php|/wp-admin/((?!admin-ajax\.php).)*$ {
    index index.php index.html index.htm;    # Message of Basic authentication
    auth_basic "Please enter your ID and password";
    # path to .htpasswd file
    auth_basic_user_file /etc/nginx/conf.d/.htpasswd;    if ($request_filename ~ .*\.php) {
        break;
        proxy_pass http://backend;
    }
    include /etc/nginx/expires;
}

Finally, to load the new setting, reboot Nginx to run # service nginx restart.