Controlling Access to the WordPress Dashboard with NGINX
The file below and directory are the target to restrict the access to admin window.
/wp-login.php
/wp-admin/ *except for admin-ajax.php
Nginx used in Amimoto AMI can’t handle .htaccess, so you need to edit /etc/nginx/conf.d/default.conf(or /etc/nginx/conf.d/example.com.conf ).
Only the root user can edit the file, so change the user to su - .
server {
listen 80 default;
server_name _;
root /var/www/vhosts/example.com;
index index.html index.htm;
charset utf-8;
access_log /var/log/nginx/example.com.access.log main;
error_log /var/log/nginx/example.com.error.log;
include /etc/nginx/drop;
rewrite /wp-admin$ $scheme://$host$uri/ permanent;
#rewrite ^(.*)(index|home|default)\.html? $1 permanent;
set $mobile '';
#include /etc/nginx/mobile-detect;
location ~* ^/wp-(content|admin|includes) {
index index.php index.html index.htm;
if ($request_filename ~ .*\.php) {
break;
proxy_pass http://backend;
}
include /etc/nginx/expires;
}
#location ~* \.(js|css|html?|xml|gz|jpe?g|gif|png|swf|wmv|flv|ico)$ {
# index index.html index.htm;
# include /etc/nginx/expires;
#} location / {
if ($request_filename ~ .*\.php) {
break;
proxy_pass http://backend;
}
include /etc/nginx/expires;
set $do_not_cache 0;
if ($http_cookie ~* "comment_author_|wordpress_(?!test_cookie)|wp-postpass_" ) {
set $do_not_cache 1;
}
if ($request_method = POST) {
set $do_not_cache 1;
}
proxy_no_cache $do_not_cache;
proxy_cache_bypass $do_not_cache;
proxy_redirect off;
proxy_cache czone;
proxy_cache_key "$scheme://$host$request_uri$mobile";
proxy_cache_valid 200 0m;
proxy_pass http://backend;
} #
# When you use phpMyAdmin, uncomment the line "include /etc/nginx/phpmyadmin;"
# and delete or comment out the below line "location ~* /(phpmyadmin|myadmin|pma) { }".
#
#include /etc/nginx/phpmyadmin;
location ~* /(phpmyadmin|myadmin|pma) {
access_log off;
log_not_found off;
return 404;
} #
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
Control with IP addresses.
Add the code below around line 20 (just above the line begin with “location”):
location ~* /wp-login\.php|/wp-admin/((?!admin-ajax\.php).)*$ {
index index.php index.html index.htm; # Allowing IP addresses
allow 192.168.0.1;
deny all; if ($request_filename ~ .*\.php) {
break;
proxy_pass http://backend;
}
include /etc/nginx/expires;
}
Add IP addresses like allow 192.168.0.1;.
Control with the basic authentication
At first, create .htpasswd file.
Then log in with SSH and change user to root by su -.
Create .htpasswd st /etc/nginx/conf.d/ , and suppose the user of Basic authentication is “wpbasic”, enter like below:
# htpasswd -c /etc/nginx/conf.d/.htpasswd wpbasic
Then it will prompt you to enter a new password and enter it again.
New password:
Re-type new password:
After that, the message “Adding password for user wpbasic” will be displayed.
When you succeed, please add the code below at around line 20 (just above the line beginning with “location”) of /etc/nginx/conf.d/default.conf (or /etc/nginx/conf.d/example.com.conf )
location ~* /wp-login\.php|/wp-admin/((?!admin-ajax\.php).)*$ {
index index.php index.html index.htm; # Message of Basic authentication
auth_basic "Please enter your ID and password";
# path to .htpasswd file
auth_basic_user_file /etc/nginx/conf.d/.htpasswd; if ($request_filename ~ .*\.php) {
break;
proxy_pass http://backend;
}
include /etc/nginx/expires;
}
Finally, to load the new setting, reboot Nginx to run # service nginx restart.
