I made some changes in Options tab, nginx Directives, to restrict access to wordpress wp-login.php as follows location / { try_files $uri $uri/ /index.php?$args; location ~ ^/wp-login.php { allow 1.2.4.5; allow 11.22.33.44; deny all; access_log off; log_not_found off; } }When i visit the ..../wp-admin/ page, the wp-login.php file downloads instead of being executed. I also tried using this in ths nginx Directives location ~ ^/(wp-admin|wp-login.php) { try_files $uri $uri/ /index.php?$args; index index.php; allow 1.2.4.5; allow 11.22.33.44; deny all; } which works for blocking access to /wp-admin/, but if someone enters ..../wp-login.php they still see the login screen. The reason for the IP lock is that some of the sites I host are constantly being attacked and I want to reduce the attack surface. I have other protection like wordfence etc. But would love to be able to block certain sections of the site using ip addresses Thanks in advance
I don't use NGINX, but I think you would have to add some fastcgi variables for this block. I think it would be better to use a WordPress plugin to restrict access to certain IP's, I think WordFence has such a option: https://www.wordfence.com/help/firewall/options/ (and if not, there will be plenty plugins that do)
I am just restricting access to the login page, not the whole site, so this should work exactly like I plan to, as soon as I can figure out why the php downloads and not execute
Problem is that I have many websites and wordfence is cost prohibitive. I can block access to /wp-admin/ without a problem, but these automated systems access wp-login.php directly.
