Restricting access to your admin panel

If your managing a website, you will definitely know about hackers trying to brute-force your login page to gain access. When brute-forcing your login page, every try will be a unwanted request to your website, using resources you don’t want them to use. A really simple way to get rid of them is restricting access to your admin page using nginx.

In the guide below, I’ll show you how you can easily restrict access by checking on IP-range, of even a specific IP-address. Please note that when you restrict access this way, you won’t be able to reach your own admin panel if your IP-address ever changes. I don’t recommend this way of restricting if your IP changes on a daily basis.

In the examples below, I will be blocking access to wp-admin, the dashboard of WordPress. Since it’s just a mention in a URL, you can easily replace wp-admin with your own dashboard url.

Restricting access to the dashboard:

server {
    [...]

    // This code should be placed directly after the root/error_log rules
    location ~* ^/wp-(login.php|admin/)$ {
        allow 1.2.3.4;
        allow 1.2.3.4;
        allow 1.2.3.4/64; // Allowing a complete IP Range
        deny all;
    }

    [...]
}

Please note that when using this method, the access to admin-ajax.php will also be blocked. Which means that a lot of plugins can’t connect with your WordPress installation anymore. To fix this, you should rewrite admin-ajax.php to another url, and write it back server-side. But to be honest, I don’t think that you should use admin-ajax.php in your front-end, it doesn’t contain “admin” for nothing 😉

Rewriting admin-ajax.php to another URL:

/**
 * Rewrite the "admin-ajax" url for wp-admin restricting
 *
 * @param string $url the url to rewrite
 */
function rewrite_admin_ajax( $url ) {
    if( preg_match( '/\/admin-ajax\.php$/', $url ) ) {
		return '/wp-ajax';
	}

	return $url;
}

add_filter( 'admin_url', 'rewrite_admin_ajax', 10, 1 );

Rewriting it back to admin-ajax.php on the server:

server {
    [...]

    // Restriction block from the snippet above
    [...]

    // Place directly after the restriction block
    rewrite ^/wp-ajax$ /wp-admin/admin-ajax.php;

    [...]
}

Don’t forget to always test your nginx configuration before restarting. You can test your nginx configuration using

$ sudo nginx -t

It should give an output similar to

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

After testing, restart nginx using

$ sudo service nginx restart

If you have another good practices for protecting your admin panel, please let me know and leave a comment below.

Have hun protecting your site!